Indane, a state-owned gas provider in India, left a section of its website open to dealers and distributors despite though it is only intended to be accessed with a verified username and password.
An anonymous security researcher who sought to protect his identity out of concern for retaliation from the Indian government discovered the material.
It was found that customer data for 11,000 dealers, including names and addresses of customers, as well as the customers’ confidential Aadhaar numbers hidden in the link of each record were visible after the exposure.
TPRM report: https://scoringcyber.rankiteo.com/company/indane-gas
"id": "ind143518223",
"linkid": "indane-gas",
"type": "Data Leak",
"date": "02/2019",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '11,000',
'industry': 'Energy (Gas)',
'location': 'India',
'name': 'Indane',
'type': 'State-owned Enterprise'}],
'attack_vector': 'Unsecured Website',
'data_breach': {'number_of_records_exposed': '11,000',
'personally_identifiable_information': ['Names',
'Addresses',
'Aadhaar Numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information']},
'description': 'Indane, a state-owned gas provider in India, left a section '
'of its website open to dealers and distributors despite '
'though it is only intended to be accessed with a verified '
'username and password. An anonymous security researcher '
'discovered the material, which included customer data for '
'11,000 dealers, including names and addresses of customers, '
'as well as the customers’ confidential Aadhaar numbers hidden '
'in the link of each record were visible after the exposure.',
'impact': {'data_compromised': ['Names', 'Addresses', 'Aadhaar Numbers']},
'threat_actor': 'Anonymous Security Researcher',
'title': 'Indane Data Exposure',
'type': 'Data Exposure',
'vulnerability_exploited': 'Lack of Authentication'}