ADVERTISEMENT

RBI Asks Mobikwik To Conduct Forensic Audit

The RBI is seeking a forensic audit report to get to the bottom of allegations of a data breach.

Motorists refuel their vehicles as signage for digital-payment service MobiKwik, operated by One MobiKwik Systems Pvt., is displayed. (Photographer: Dhiraj Singh/Bloomberg)
Motorists refuel their vehicles as signage for digital-payment service MobiKwik, operated by One MobiKwik Systems Pvt., is displayed. (Photographer: Dhiraj Singh/Bloomberg)

The Reserve Bank of India has asked payment firm Mobikwik to conduct a forensic audit, after claims of a data breach emerged which were then denied by the company.

According to a person familiar with the matter, Mobikwik has been asked to conduct a forensic audit and submit a report at the earliest. The audit should be conducted by an agency empanelled with CERT-In, India’s official computer emergency response team, the person cited earlier said on condition of anonymity.

In response to a query from BloombergQuint, a Mobikwik spokesperson said: “We take the privacy and security of our user data very seriously. We’re working closely with requisite authorities to conduct an independent forensic audit.” An RBI spokesperson declined comment.

Mobikwik has found itself in the middle of a battle with so-called ethical hackers, who claimed that user data from Mobikwik servers has been leaked on the dark web. At first, the company denied it but faced push-back from security researchers who took to social media to post what they claimed was evidence of the data breach.

Later, the company said it was investigating these claims. In a blog post, Mobikwik said as soon the matter was reported, the company undertook a thorough investigation with the help of external security experts and didn’t find any evidence of a breach. “The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the post said, without specifying that the regulator has sought such an audit.

According to the person cited earlier, Mobikwik has been in touch with CERT-In. The company claims that copies of the alleged breached data sent by CERT-In doesn’t match its own. Mobikwik has said an attempt to breach the company’s security systems earlier in March was foiled, said the person, adding that a forensic audit will help get to the bottom of the matter.