'Indian Oil Corporation' shut down affected dealer portal
Hyderabad: Through a screenshot posted on his Twitter handle, @fsc131y, the French researcher popularly known as Elliot Anderson claimed that data of over 6.7 million dealers and distributors associated with Indane, an LPG brand owned by IOC, was displayed on the website.
As the news spread, IOC was quick to issue a statement. In a post put out on their official Twitter handle @IndianOilcl, they refuted any Aadhaar data leak.
“One of my followers on Twitter sent me a tip-off on the data leak. The private message said he had found an Indane gas endpoint that leaks Aadhaar number along with the name, address and more of the customers,” Mr Robert told this newspaper.
An independent cyber security researcher, Mr Baptiste Robert, claims to have found Aadhaar and other private details of 67 lakh Indane dealers. The information was found available on Indian Oil Corporation’s official website.
“According to the sender, he knew a previous Aadhar leaking endpoint, Spandan, and sought my help and sent me an URL. As I investigated further, I arrived on a page that gives out consumer number, name, address and Aadhaar number on the official website.”
The URL of this page begins as https://indane.co.in. The page contains consumer’s number, LPG ID, consumer’s name, present status and KYC status. “Indane is leaking names, addresses and Aadhaar numbers of customers because of lack of authentication in local dealers’ portal,” said Mr Robert.
Asked why he chose to put it in public view instead of reporting to IOC, he said: “I tried to contact them through multiple ways but got no response. After several attempts, I decided to put it on public view on Monday. Though IOC has put out an official statement, they have not responded to me, yet.”
The researcher claimed that less than three hours after the data was leaked, IOC shut down the affected dealer portal.
IOC’s statement said: “The IndianOil, in its software, captures only the Aadhaar number, which is required for LPG subsidy transfer. No other Aadhaar related details are captured by IndianOil. Therefore, leakage of Aadhaar data is not possible through us.”