The incidents of data breaching are coming into the picture every other day. Recently a well-known mobile payment platform ‘MobiKwik’ has undergone a major data breach that exposed the private information of more than 10 legitimate core users. The information that has been violated is the user’s name, e-mail addresses, KYC details, credit/debit card numbers, and many other details. Moreover, the data of 3.5 million users was put up for sale on the dark web. The database was about 8.2TB eye-watering in size and that data was sold for 11.5 Bitcoin approximately Rs 63,640,00. The data breach was first identified by security researcher Rajshekhar Rajaharia in February and he stated that ” About 11 Crore Indian cardholders, data including personal details & KYC soft copy, PAN card, Aadhar card, etc was allegedly leaked by a company’s server in India and 6 TB KYC data, as well as 350 GB, compressed MySQL data was also leaked. ”
When this matter first came into view on Twitter, the company initiated to examine this matter with the help of external security experts and they did not find any evidence of this data breach. One of the company’s members also said that “The company works closely with important authorities and they are confident that security protocols to file sensitive data are robust and have not been breached. Due to the severity of the allegations, a third party will forward a forensic data security check to our users. We reemphasize that all your MobiKwik accounts and balances are completely secure and protected. All sensitive financial details are stored in encrypted form in our databases. So, there is no misuse of the user’s wallet balance, credit card, or debit card is possible without the unique password (OTP) that only reaches your mobile phone number. We strongly suggest that users should not attempt to open any unknown anonymous web links as they may risk cybersecurity. We are committed to a secure, digital India.”
Even worse, MobiKwik strongly contradicts that its infrastructure has been compromised. And he also says that “Some so-called security researchers have frequently tried to submit concocted files, wasting precious time for our organization and members of the media. We conducted an in-depth investigation and found no security breaks. Our user and company data is completely secure and safe.” He has been largely silent on the issue since the declaration was issued.
It’s not the first time MobiKwik has gone through a violation. The company had another infosec incident in 2010 and learned nothing from it. It still refuses to admit that there has been an attack on its servers, despite overwhelming evidence of the contrast. Whether or not it has found out the vulnerability is still unknown. There is no support for affected users, given that 100% of their personal information has been leaked online, which is a great threat to user’s privacy.
By Navya Swarup
Campus Ambassador, WCSF