A day after an alleged data breach that affected the data of 3.5 million of its users, payment firm MobiKwik said it had found no evidence of a leak, would get a security audit conducted, and was working with requisite authorities.
"The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit," the firm said in a blog post.
The alleged data leak, which led to a Twitter trend "MobikwikDataLeak" on Tuesday, has exposed close to 8.2 terabytes (TB) of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card data of its users on the dark web.
According to reports, data of close to 3.5 million users was at risk. On Monday, a link from the dark web began circulating online, and several users confirmed seeing their personal details in it.
Many people also posted screenshots of the alleged MobiKwik user data, which, according to sources, was up for sale for 1.5 bitcoin or about $86,000.
"Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source," MobiKwik said in the blog post.
The leak was first reported in February by security researcher Rajshekhar Rajaharia, which the company had denied at the time.
"When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach," MobiKwik said Tuesday.
Rajaharia on Tuesday posted screenshots of his conversation with MobiKwik on Twitter.
My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it.#InfoSec #DataLeak #GDPR @sanjg2k1 @fs0c131y @troyhunt pic.twitter.com/pP0VRU0vqC
— Rajshekhar Rajaharia (@rajaharia) March 30, 2021
He followed it with screenshots of his email informing MobiKwik of the details of the leak as well as a bug that was exposing user data, where MobiKwik responded by saying the reported bug only contained "client-side data".
"The company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long running Bugs Bounty program, where ethical hackers report security issues which are immediately fixed," MobiKwik said in its post.
The ISO 29147 is a document that provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services.
Dear Reader,
Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.
As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.
Support quality journalism and subscribe to Business Standard.
Digital Editor
RECOMMENDED FOR YOU