If one thing that the pandemic has taught us, it is the importance of online transactions and digital payments. However, Indian regulatory bodies require the online banking platforms to collect the customer data and store it digitally, for the purposes of Recordkeeping, Assistance for Law Enforcement etc, where this can be an expensive and troublesome task as the same also requires the companies to follow certain International Standards of Data and Information Security to protect this data or otherwise face the claims and litigations filed under Section 43A of the Information technology Act, 2000. While it does seem a bit farfetched to think that something like a “customer data leak” could happen to a company, as they are required by the law to have the best security practises and hence there exists next to no chance of any kind of mishaps, but when something like this eventually does happen it can disrupt our lives to a great extent. One won’t even realise that they have become victim to an incident which is much bigger than them and at any moment something bad could happen to them. Something similar has been reported for one of India’s Largest Digital Transaction Platforms, Mobikwik. This blog will take one through the highlights of this incident, the incident which is being referred to as the biggest Data Leak in History.
What has happened?
It has been reported that personal data of over 10 crore Mobikwik Customers has been put for sale on the Dark web. While this news has resurfaced in the month of March, the same was reported to various news platforms by Cyber Security researcher Rajashekhar Rajagharia back in February. He reported that credit card and debit card details, names, emails and other details of about 100 million users of Mobikwik have been leaked on the Dark web. However, the company denied such allegations through their tweet on March 4th, stating that the researcher is “Media-crazed” and all customer data is safe with them.
The news resurfaced when a popular French Security researcher confirmed the same and reshared the post on Twitter. While that tweet was taken down for allegedly violating community guidelines i.e. they violated the term for “Posting private information”, their retweets and activity make their position very clear about the incident.
Furthermore, besides the above-stated categories of data, it has also been reported that the KYC details of the customers, including the Aadhar Card info., Pan cards as well as bank statements of over 5 crore users have also been put up on the dark web for sale by the hacker group known as “ninja_storm” for 1.5 BTC.
Response by Mobikwik
As stated above Mobikwik has continuously denied all the claims made against them, and released a statement on Twitter and a blogpost explaining their position. They explained that they are a company with robust information security protocols in place and are subjected to strictest compliant measures under their PCI-DSS, CISA and ISO 27001:2013 certifications. They also acknowledged that some of the data is available on the dark web, but that is due to the fault of the customer itself as it is possible that they have uploaded their data on multiple platforms. The company also gave reassurances to the customers that while they will investigate the matter using external cybersecurity investigators, the customer data and amounts in their bank accounts remain safe and it can not be deducted without using an OTP i.e. the dynamic password which one receives before every online transaction.
While the company has continuously denied all the claims, these claims are getting more and more convincing as a lot of experts in the field are warranting the results by sharing their findings. Even other news reports such as the one presented by TechCrunch, reveals that according to a screenshot, a MobiKwik official was asking an Amazon Representative for logs related to their cloud service, for the previous month, as it had been brought to their attention that their cloud storage data has been downloaded by some other person outside the organisation.
According to some reports, even the RBI has ordered a forensic audit for Mobikwik, however the same has not been verified by RBI yet. It will be interesting to see how the story plays out in the coming days as the outcome of this story will also grossly affect the plans of the Company launching its IPO in the coming months.