Fintech firm refutes breach reports, claims customer information is safe
Indian payment services provider MobiKwik continues to deny reports of a huge data breach affecting millions of customers, despite multiple sources claiming otherwise.
Earlier this month (March 4), the company took to Twitter to accuse “a media-crazed so-called security researcher” of falsely reporting it had been subject to a leak.
MobiKwik claimed that its user and company data was “completely safe and secure” in a Twitter thread.
Commenting on the report, the company said: “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
Fast forward to last night (March 29), when reports claimed that the details of 3.5 million MobiKwik users – equaling around 8.2 TB of data records – were discovered on the dark web.
Posting on RaidForums, an underground marketplace, a user by the name of ‘ninja_storm’ claimed to have 8.2 TB of data that had been taken from MobileWiki.
The sensitive personal information of millions of customers, including their payment card details, names, and addresses, as well as user email addresses, phone numbers, passwords to installed mobile apps, IP addresses, and GPS locations.
According to ninja_storm, there are potentially 10 million KYC records included in the breached database. KYC – or ‘Know Your Customer’ – is a verification process Indian banks use to ensure services are not misused.
A screenshot of a post claiming to have access to user data from MobiKwik
The purported data breach was first disclosed by security researcher Rajshekhar Rajaharia on March 1, when he contacted MobiKwik to inform them of the leak.
However, as seen in screenshots posted to Twitter, MobiKwik denied that there was an issue.
Rajaharia also alleged that MobiKwik failed to honor a bug bounty payout after he reported a security vulnerability that was fixed but not acknowledged.
Rajaharia posted about the incident on Twitter and found his account was subsequently locked due to “posting personal information”, after an apparent request by MobiKwik to have his tweets taken down.
A few days later, MobiKwik tweeted the claims that their data was “safe and secure”.
‘Biggest leak in history’
Security researcher Baptiste Robert, known online as ‘Eliot Alderson’, also found his Twitter account locked after claiming that the incident is “the biggest KYC leak in history”.
Twitter user Kiran Jonnalagadda shared a screenshot of what he says is his own payment data from the leak.
And Troy Hunt, founder of breach detection website Have I Been Pwned?, wrote: “Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling ‘mobikwik data breach’ now...”
Data breach denial
MobiKwik has continued to deny the allegations, releasing a lengthy statement refuting claims that user data is available on the dark web.
The statement read: “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms.
“Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
A spokesperson for MobiKwik told The Daily Swig: “As a regulated entity, the company takes its data security very seriously and is fully compliant with applicable data security laws.
“The company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which, includes annual security audits and quarterly penetration tests to ensure security of its platform.
“As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.
“The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit.
“For its users, the company reiterates that all MobiKwik accounts and balances are completely safe.”
YOU MAY ALSO LIKE Isn’t it ironic: Exploiting GDPR laws to gain access to personal data