NEW DELHI: MobiKwik is receiving widespread criticism after various cyber experts gave substantial evidence of data leak – one of the biggest breaches – that took place in the digital wallet company.
This included KYC details of 3.5 million people and phone numbers, email, hashed passwords, addresses, bank accounts and card details of close to 10 crore users.
However, for the past one month, the company continues to deny the massive data leak, insisting that user information is safe but security researchers and users are not convinced. In February, security researcher Rajshekhar Rajaharia found the data breach. “11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump,” he had said. Another security researcher by the name of Elliot Alderson shared screenshots of the Mobiwik breach on Twitter. It was the “largest KYC data leak in history,” he said.
Despite several attempts to highlight the issue, MobiKwik kept denying any breach at their end. On Tuesday, the company issued a statement. Here is what MobiKwik said and how netizens and cyber experts responded to it.
- MobiKwik is a Truly Indian Payments App used by 100 million Indians and built by 350 Indians.
The Indian part does not matter. You can say this is by Indians, for Indians and of Indians. None of that matters. Right now what matters is that the customer data has been breached.
- Since inception, the company has grown primarily on the strength of its consumer trust.
Users who indicated that they never gave MobiKwik permission to store their Credit Card numbers are finding their credit card numbers in the breached database. Leaked data shows you are storing more than you should. With such sensitive details now open in public security is the only thing the company should be talking about.
- The company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications.
Compliance = security, unfortunately people are questioning both.
- Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms.
Blaming users for uploading their data on multiple platforms should be the last thing the company should hide behind. We are sure company can think of some better excuse? Multiple unconnected users are reporting this and still the company thinks they have uploaded their data to the darkweb?
- When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts.
Name those experts. Share the scope of the assessment. Were there any constraints on the investigation.
- Considering the seriousness of the allegations, and by way of abundant caution.
The man who first reported the loophole was tried to shut. Deleting his post, legal action was among the some of the steps to shoot the messenger. Called Rajaharia ‘media-crazed so-called security researcher’ and blamed him of presenting ‘concocted files’ wasting precious time of organization while desperately trying to grab media attention.
Here is what MobiKwik has to say in their statement:
MobiKwik is a Truly Indian Payments App used by 100 Million Indians and built by 350 Indians. Since inception, the company has grown primarily on the strength of its consumer trust. As a regulated entity, the company takes its data security very seriously, and is fully compliant with applicable data security laws.
The company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long running Bugs Bounty program, where ethical hackers report security issues which are immediately fixed.
Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.
When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.
For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety.
We are committed to a safe and secure Digital India.