India’s state gas company leaks millions of Aadhaar numbers

Another security lapse has exposed millions of Aadhaar numbers.

This time, India’s state-owned gas company Indane left exposed a part of its website for dealers and distributors, even though it’s only supposed to be accessible with a valid username and password. But the part of the site was indexed in Google, allowing anyone to bypass the login page altogether and gain unfettered access to the dealer database.

The data was found by a security researcher who asked to remain anonymous for fear of retribution from the Indian authorities. Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), is known to quickly dismiss reports of data breaches or exposures, calling critical news articles “fake news,” and threatening legal action and filing police complaints against journalists.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson and has prior experience investigating Aadhaar exposures, investigated the exposure and provided the results to TechCrunch. Using a custom-built script to scrape the database, he found customer data for 11,000 dealers, including names and addresses of customers, as well as the customers’ confidential Aadhaar number hidden in the link of each record.

Robert, who explained more about his findings in a blog post, found 5.8 million Indane customer records before his script was blocked. In all, Robert estimated the total number affected could surpass 6.7 million customers.

We verified a sample of Aadhaar numbers from the site using UIDAI’s own web-based verification tool. Each record came back as a positive match.

A screenshot showing the unauthenticated access to Indane’s dealer portal, which included sensitive information on millions of Indian citizens. This was one dealer who had 4,034 customers. (Image: TechCrunch)

It’s the latest security lapse involving Aadhaar data, and the second lapse to embroil Indane. Last year, the gas and energy company was found leaking data from an endpoint with a direct connection to Aadhaar’s database. This time, however, the leak is believed to be limited to its own data.

Indane is said to have more than 90 million customers across India.

The exposure comes just weeks after an Indian state leaked the personal information of more than 160,000 government workers, including their Aadhaar numbers.

Aadhaar numbers aren’t secret, but are treated as confidential and private information similar to Social Security numbers. More than 90 percent of India’s population, some 1.23 billion citizens, are enrolled in Aadhaar, which the government and some private enterprises use to verify identities. The government uses Aadhaar to enroll citizens in state services, like voting, or applying for welfare or financial assistance. Some companies also pushed customers to enroll their bank accounts or phone service to their Aadhaar identity, but this was recently struck down by the country’s Supreme Court. Many say linking their Aadhaar identities to their bank accounts has led to fraud.

The exposure is likely to reignite fresh concerns that the Aadhaar system is not as secure as UIDAI has claimed. Although few of the security incidents have involved a direct breach of Aadhaar’s central database, the weakest link remains the companies or government departments that rely on the data.

We contacted both Indane and UIDAI, but did not hear back.

What an American artificial intelligence initiative really needs

At a high level, the American AI Initiative seems to be headed in the right direction. We absolutely need a holistic approach that considers all the various areas that are critical to building innovative AI solutions. This seems to be an underlying concept of the Initiative, as the executive order places priority on making data available across government agencies, allocating cloud computing resources to support AI R&D and training the workforce. Commitment to AI innovation is critical to maintaining our leadership position in technology with the increasing level of global AI competition.

We know that China, France and the U.K. have invested and committed billions already to their own AI initiatives. The American AI Initiative as it stands does little to blunt the fears that America will fall behind in its technological edge. In fact, its lack of particulars sends exactly the opposite message.

If the government wants to demonstrate its support for AI, it needs to commit significant funding and investment in education to retain, attract and grow the talent necessary to support such a critical industry that has the potential to define our future and truly increase American competitiveness.

We have started to see momentum from some institutions that have already announced funding initiatives for AI research and advanced computer science education, such as MIT’s $1 billion commitment to AI, but we need government agencies and other private institutions to follow suit in order to effectively change the landscape. Such investments and focus on advanced technology development must become the baseline expectation for competition in our country.

We also need continuous and robust investments from VCs for AI startups across industries and markets, as there exists ample opportunity for backing transformative AI startups. Now is the time for the government and private capital to come together and jointly put our monies where our mouths are.

Beyond funding, the government must take a hard look at the global AI talent pool and accelerate the incoming flow of talent to our country, whether through academia or industry. According to NVCA (National Venture Capital Association), an estimated 51 percent of domestic private companies valued at $1 billion or more had one or more founders who were born outside of the U.S.

Overall, 31 percent of venture-backed founders are immigrants. A large number of these are leading technology companies at the forefront of developing new American products and services, many of which will leverage some form of AI in the next few years if they aren’t already. Attracting and retaining fresh talent, educators and data scientists must be a part of our national agenda, as the talent pool necessary to take a leadership position in AI is currently cannibalizing itself.

With respect to the American AI Initiative, success comes down to the details and specific plans, which will be determined over the course of the next three to six months. Each of the milestones outlined in the executive order are important advancements, but the Initiative will only truly succeed if it is built holistically.

Access (and the necessary protections) to data, access to cloud computing and a commitment to computer science must be embraced by the government as an integral part of our technology-driven businesses and personal lifestyles. These cannot be viewed as separate components in disparate silos.

If the government can champion a frontier technology and data-centric approach, the American AI Initiative has the potential to both reduce barriers to entry for AI startups and elevate the entire tech, business and innovation landscape. But it starts with a commitment to academic education, training for the workforce and a deliberate and concerted focus on ensuring public trust in AI. While no small feat, this is what is required to guarantee the intelligent future of America, and its leadership role in global innovation.