Digital wallet company MobiKwik on Tuesday said that it will have a third party conduct a forensic data security audit after allegations of a data breach of users’ personal details resurfaced a day ago. Independent security researchers have claimed that the personal data of nearly 3.5 million (35 lakh) users of MobiKwik was leaked. It is reportedly available for purchase on dark web.
“The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached,” the company said in a statement. “Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
It assured its users that their MobiKwik accounts and balances are safe and warned against opening any dark web or anonymous link as they could jeopardise the cyber safety of the users.
“All financially sensitive data is stored in encrypted form in our databases,” MobiKwik said. “No misuse of your wallet balance, credit card or debit card is possible without the one-time-password that only comes to your mobile number.”
The digital payment company said users have reported their data was visible on the dark web and that it was investigating the matter. However, it pointed out that it was possible that the users could have uploaded their information on multiple platforms. “Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source,” the company said.
MobiKwik said that when the breach was first reported last month, it conducted a thorough investigation with the help of external security experts and did not find any evidence of a breach. “We are committed to a safe and secure Digital India,” the company said.
The data breach was originally flagged in February by internet security researcher Rajshekhar Rajaharia. The matter resurfaced on Monday after French cybersecurity researcher Elliot Alderson tweeted about it.
“Probably the largest KYC [know-your-customer] data leak in history,” Alderson tweeted, along with a screenshot of the database containing information of the users’ personal data. “Congrats Mobikwik...”
The screenshot showed that people can search the database using their phone number or email address to find all information stored in the servers of the digital wallet company. “This database in 8.2 TB [terabyte] and contains 36,099,759 files,” the screenshot said. “Nearly 3.5 million people’s KYC details. Along with 99,224,559 user phone numbers, emails, hashed passwords, addresses, bank accounts and card details etc.”
In February, Rajaharia claimed that the breach has happened twice this year. He added that the hacker had access to MobiKwik’s server since January and said that the Reserve Bank of India should investigate the matter.
The security researcher again brought up the matter on March 4. “11 crore Indian card holders data alleged leaked from MobiKwik Server, hacker claimed,” he tweeted. “It seems hacker still have their data. Backup was alleged taken on 20 January 2021. He claim to have Mobikwik access since last 30 days. Reserve Bank of India and Indian Computer Emergency Response Team, please look into this matter.”
Following Rajaharia’s March 4 statement, MobiKwik denied the claims. “A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organisation while desperately trying to grab media attention,” the company tweeted. “We thoroughly investigated his allegations and did not find any security lapses.”
Currently, India does not have a robust mechanism for the protection of user data and penal actions in cases of data breach, according to The Indian Express. The Personal Data Protection Bill, which is said to contain provisions to deal with this is pending in Lok Sabha since 2019.
Without the Personal Data Protection Bill, the Information Technology Act of 2000 and other rules made in 2011 are used for matters of data protection. Several experts have pointed out that these legislations are inadequate.
“In case of foreign companies, if a breach happens, they accept it and inform the users,” independent cybersecurity expert Indrajeet Bhuyan. “Most Indian companies do not acknowledge such breaches, let alone inform the user that the database had been breached.”
There has also been a rise in the number of data breaches in India in past few years. According to the national cybersecurity agency, cyberattacks have increased from 53,117 in 2017 to 2,08,456 in 2018, 3,94,499 in 2019 and 11,58,208 in 2020.