Digital payments firm MobiKwik has been quick to deny certain claims by security researchers who flagged that a substantial amount of consumer data was made available on the dark web due to a system breach.
Shortly after the denial by the company which is currently planning for an initial public offering, a swathe of security researchers took to social media to display what they claim is evidence of the breach.
MobiKwik Questionable Response
MobiKwik’s initial response to the claims came with a somewhat retaliatory hitback, deeming those who flagged it as ‘media-crazed so-called security researchers’ who ‘repeatedly attempt to present concocted files and wasting precious time’ of the company and the media. MobiKwik stated that their own team investigated, finding no security lapses and ensuring that data was secure.
This led to those security researchers reinforcing their claims with news that they flagged the initial breach in February of 2021, as well as providing proof of the data dump available on the dark web. Independent cyber security researcher Rajshekhar Rajaharia pointed out that the breach in February was denied by the company after a hacker claimed in a post that their access to the MobiKwik server was lost whilst downloading data, but that the data was later recovered by the hacker.
Many other researchers and users took to online platforms to claim that their personal information was found online afterwards.
One individual, Kiran Jonnalagadda of Hasgeek.com, informed BloombergQuint that his own data and other users of MobiKwik was available online. From a range of conversations that Jonnalagadda has engaged in, it appears the level of data available differs across users with some who have the application seeing a wider set of data available online.
As of its March 2020 guidelines, the Reserve Bank of India requires immediate reporting of any breach that is flagged, specifically in the areas of payment aggregators and payment gateways.
Regulations in Place
The regulations require all companies to carry out and submit quarterly internal and annual external audit reports, along with bi-annual vulnerability assessments. MobiKwik stated that as soon as the matter was brought up, they were quick to act in undertaking a thorough investigation that found no evidence of any breach. The company pointed out that they were working with authorities and are using a third party to conduct forensic data security audits. Despite this, MobiKwik assures all of its users that their data is safe and secure.