Leading Indian Fintech Platform MobiKwik Denies Data Breach
Indian digital financial services platform Mobikwik denies claims that almost 8 TB of data put up for sale was allegedly stolen from its servers.
This privately held fintech platform provides financial services and a phone-based payment gateway to more than 120 million users.
Mobikwik says that approximately 3 million merchants and over 300 billers are currently using its services.
Personal and financial info of millions up for sale
Security researcher Rajshekhar Rajaharia discovered a threat actor attempting to sell what he claimed to be a database of sensitive info stolen from MobiKwik after having access to the company’s servers since January 2021.
After Rajaharia revealed his findings on Twitter last month, MobiKwik denied having been affected by this massive data breach, saying that Rajaharia wants to “grab media attention.”
The company also said that “user and company data is completely safe and secure” since an investigation ” did not find any security lapses.”
MobiKwik added that its “legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives.”
Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings
The data allegedly stolen from MobiKwik contains personal and financial information (addresses, phone numbers, emails, and hashed passwords) of almost 100 million individuals, and bank accounts and card details of around 40 million.
The database being sold online also includes the KYC (Know Your Customer) data of roughly 3.5 million Indians.
The threat actor who put the allegedly stolen data up for sale also created a search portal to allow anyone to check if their data is included in the stolen data.
The search field has since been removed due to a large amount of traffic and to add a captcha for blocking bots trying to scrape the data.
Mobikwik denies breach again, points finger at customers
Today, the company doubled down on their previous statement, denying again that the data breach ever happened and saying that customers who found their data exposed on the dark web might’ve uploaded the data themselves.
“Some users have reported that their data is visible on the darkweb,” MobiKwik said in a statement published today.
“While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms.
“Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”
MobiKwik says that external security experts found no evidence of a data breach following a thorough investigation since the breach was reported by Rajaharia last month.
Security audit planned
The fintech platform will also hire third-party experts for a security audit, although its services have most likely not been breached.
“The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached,” MobiKwik said.
“Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
MobiKwik also reinsured customers that their accounts are safe and that their financial information is stored in encrypted form.
Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes
Over ten years ago, MobiKwik suffered a breach after attackers gained access to some of its servers and sent emails offering to sell confidential info belonging to MobiKwik users.
0 Comments