The personal details of up to 6.7 million people in India — including biometric ID numbers — were left accessible via a Google search, a security specialist revealed Monday.
Discovered by an anonymous Indian security researcher and revealed by French security expert Baptiste Robert, the leak marks just the latest embarrassing breach of Aadhaar — the world’s largest biometric database that the Indian government claims is hack-proof.
The state-owned gas company Indane misconfigured a part of its website that allowed anyone to collect the names and addresses of customers usually only accessible to dealers and distributors, according to Robert. He also found customers’ confidential Aadhaar numbers hidden within the code.
“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” Robert said in a Medium post explaining his research.
The data collected by Robert was verified by TechCrunch.
Aadhaar is the world’s largest biometric database and is used in India for everything from voting to opening a bank account and getting access to food rations. While Aadhaar numbers are not secret, they are treated as confidential in the same way as a social security number.
The researcher told VICE News that he couldn’t say whether or not the information had been accessed by anyone else.
Robert said he informed Indane about the breach on Feb. 15 but as he didn’t receive a response, decided to publish his findings.
Within hours of the news breaking, parent company Indian Oil put out a statement denying that there was any leak of Aadhaar information.
However, Indane’s website has now been taken offline without explanation.
Robert, who uses the online pseudonym Elliot Anderson, added that he had screenshots that proved Aadhaar numbers were exposed:
The Indian government has held up Aadhaar as a shining beacon of modernity that everyone else should aspire to and has consistently claimed that its security is so good that the system cannot be breached.
The government and in particular Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), has a record of quickly dismissing any suggestions that their system is vulnerable, calling critical articles “fake news” even going as far as and threatening legal action and filing police complaints against journalists.
Last month an Indian state government leaked the Aadhaar numbers belonging to 160,000 government workers.
Cover image: An Indian woman getting her fingerprints read during the registration process for Aadhaar cards (or unique identifier [UID] cards) in Amritsar. (NARINDER NANU/AFP/Getty Images)