MobiKwik continues to deny any data breach, but will do forensic audit

Given the high-profile nat­ure of the case, the RBI will likely start its own investigation and Mobikwik will have to comply with the central bank's data requests.

A day after an alleged data breach that compromised the sensitive information of 3.5 million of its users, mobile wallet and payments application (app) Mobi­Kwik said in a blogpost on Tuesday it found no evi­dence of a leak, but would get a security audit conducted nonetheless.

“The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached.

"Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit,” the firm said in a blogpost on Tuesday.

Meanwhile, Reserve Bank of India (RBI) is likely to start its own investigation, rev­ealed sources, but the company veh­emently denying any such breach complicates the matter.

When asked to comment over email, the central bank did not respond at the time of going to press.

According to rules, an ‘affected’ company’s risk dep­ar­tment has to approach the RBI.

The central bank starts working independently on its investigation.

A person familiar with the RBI’s method of functioning said MobiKwik has not approached the RBI yet with any such request.

Given the high-profile nat­ure of the case, the RBI will likely start its own investigation and Mobikwik will have to comply with the RBI’s data requests.

If the data breach is found to be genuine, and if the company is found guilty on the grounds of dereliction of duty, or misleading the general public and the RBI about the data breach, actions taken against it will be severe, the person quot­ed above said.

The alleged data leak, which led to #MobikwikDataLeak trending on Tuesday, has exposed close to 8.2 terabytes of data, including KYC details, addresses, phone numbers, Aadhaar card data of its users on the dark web.

On Monday, a link from the dark web began circulating online, and several users confirmed seeing their personal details on it.

The link claimed the data leak was the ‘biggest KYC data leak ever!’

On Tues­day, the search feature was disabled to prevent bots access.

“We masked a lot of information, so that threat actors won’t be able to misuse this data,” it said.

The searchable data page claimed to have KYC details of nearly 3.5 million people, over 99 million user phone num­bers, emails, hashed passwords, addresses, bank acc­ounts, and card details.

Late on Tuesday, a link to a group on messaging app Telegram began circulating, which had KYC details of several users from the data leak.

Many people also posted screenshots of the alleged MobiKwik user data, which, acc­ording to sources, was up for sale for 1.5 bitcoins (or about $86,000).

“Some users have re­ported that their data is visible on the dark web.

"While we are investigating this, it is entirely possible that any user could have up­loaded his/her information on multiple platforms.

"Hence, it is incorrect to suggest that the data available on the dark web has been accessed from Mobi­Kwik or any identified source,” Mobi­Kwik said in a blogpost.

The leak was first reported in February by internet security researcher Raj­shekhar Raja­haria, which the company had denied at the time.

“When this matter was first repo­rted last month, the firm undertook a thorough probe with the help of external security experts and did not find any evidence of a breach,” MobiKwik said on Tuesday.

Rajaharia told Business Standard that his intent — when he posted details about the breach — was to let people know their data had been compromised.

He posted screenshots of his email to Mobi­Kwik informing the firm about an issue with its app programming interface, which helps data tra­nsfer bet­ween one software product and another.

“My March 1 conversation with #Mob­kwik after this serious data breach... I also reported a bug.

"It denied it too and removed that bug in the next one hour.

"It saved its Rs 1,000 bounty by denying it,” he tweeted.

He followed it with screenshots of his email inf­orming MobiKwik of the details of the leak as well as a bug that was exposing data, where MobiKwik resp­onded saying the reported bug only contained ‘client-side data’.

Rajaharia also said MobiKwik had never contacted him.

“The company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications.

"These include annual security audits and quarterly penetration tests to ensure security of its platform.

"Under ISO 29147 responsible vulnerability disclosure program, it has a long running bugs bounty program, where ethical hackers report security issues which are immediately fixed,” MobiKwik said.

Photograph: Kind courtesy, MobiKwik/Twitter