Mobikwik, Security Researchers Lock Horns On Possible Data Breach
Digital payments company Mobikwik has denied claims made by security researchers that a vast amount of consumer data has been leaked onto the dark web due to a breach in its systems. In response, researchers have taken to social media with what they claim is evidence of the breach.
Mobikwik, which is planning for an initial public offering, said that user data is secure.
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” the company said in response to BloombergQuint’s query on Monday.
Claims of a data breach have resurfaced over the past 24 hours some with security researchers claiming they had flagged off the breach months ago.
In response to Mobikwik’s denial, security researchers hit back with what they claim are parts of the data dump available on the dark web.
Rajshekhar Rajaharia, independent cyber security researcher claims that the breach first emerged in February and was denied by the company.
“A day after the February data breach, the hacker/s claimed in a post that they lost access to the Mobikwik server while downloading data, after which the company claimed nothing had happened. Now, the hacker has recovered the data...,” he said.
Other users and researchers also took to Twitter to claim that their sensitive personal information was found online.
Kiran Jonnalagadda, founder of Hasgeek.com, a platform for technology practitioners to share their learnings and collaborate, told BloombergQuint that data of some Mobikwik users, including his own data, is available online. From conversations that Jonnalagadda has had, he believes that the level of data available differs across users, with some who have the Mobikwik application seeing a wider set of their data available online. Jonnalagadda said that while he is not aware of the source.
Since, there is no regulatory body to investigate such allegations of cyber attacks by way of audits for private companies, there is no independent way to verify the authenticity of these claims, said Trishneet Arora, founder and chief executive of the cyber security firm TAC Security. “In such cases, the customer only has the option to rely on the company’s version,” Arora said.
RBI regulations require immediate reporting of any breach.
In its March 2020 guidelines, specifically addressed to payment aggregators and payment gateways, the Reserve Bank of India sought immediate reporting of data breaches to itself and the Indian Computer Emergency Response Team or CERT-IN. The guidelines require these companies to carry out and submit quarterly internal and annual external audit reports and bi-annual vulnerability assessments to the regulator.
In response to additional queries, Mobikwik said that as soon the matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. “The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” a MobiKwik spokesperson said.