Mobikwik denies claims of ‘Data Breach’; Company to conduct a forensic ‘Data Security Audit’

The breached data reportedly listed almost 11 crore entries of private and potentially sensitive user data, including over 35 lakh KYC (Know Your Customer) documents in an 8.2TB database.

The vicious circle of data theft from mobile applications continues as yet another data breach was reported in the early weeks of March by an independent cybersecurity researcher Rajshekhar Rajaharia. The Mobile phone-based payment system app Mobikwik in its sharp response denied any breach saying its user and company data are completely safe and secure.

In its official statement, a Mobikwik spokesperson stated that the company is “subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long running Bugs Bounty programme,” reported News18.

Advertisement

The breached data reportedly listed almost 11 crore entries of private and potentially sensitive user data, including over 35 lakh KYC (Know Your Customer) documents in an 8.2TB database.

Denying the reports of data being breached, the spokesperson further added, “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.

“When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”

Meanwhile, an Indian Express report suggests that the breached data is available for search via a link using the Tor browser.

The digital wallet application further addressed its users in an official statement and mentioned, “All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number.”

Mobikwik has come under the radar after numerous notable figures from the cybersecurity community posted about the data breach, with some criticizing the company for its lack of compliant responses to a seemingly severe complaint.

Many users flagged their concerns on Twitter and asserted how they found their details and personal information, including credit and debit card details via this link.

Being reported as one of the biggest data breaches of its kind, the alleged scandal is likely to unravel many more issues with the app. Rajaharia in his tweet on Tuesday informed of reporting a bug in the application after his initial conversation with Mobikwik on March 1. He also highlighted that the Digital wallet company has dined his claims and removed that ‘Bug’ in the next 1 hour.

“My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it,” independent cybersecurity researcher Rajshekhar Rajaharia’s tweet read.

https://twitter.com/rajaharia/status/1376789345441443840

A News18 report mentioned that the dark web database remains live, even though search functionalities of the database have been disabled to prevent malicious actors from misusing the resources, News18 could confirm.