Financial services company MobiKwik has suffered a data breach. The Mobikwik hack has leaked personal details of 3.5 million users, and the data is up for sale on darknet. Initially the breach was flagged by Internet Security researcher Rajshekhar Rajaharia. He had tweeted about it on March 04, 2021.
Yesterday, the French cybersecurity researcher Elliot Alderson also backed the claim through a tweet.
He tweeted with a screenshot of Data leak. According to the screenshot, the database is around 8.2TB and contains 36,099,759 files and KYC details of 3.5 million people. The seller of the database has set up a dark web portal where one can search by phone number or email ID. The database can also be purchased for 1.5 Bitcoin (approx.. $85,000). The data dump is said to contain 350GB of MySQL dumps or 500 databases, 99 million email, phone, passwords, physical addresses, IP addresses, GPS Location and device related data, as well as 40 million records of card numbers, expiry dates, card hashes.
Along with this, the data dump also has 7.5TB of merchant KYC data pertaining to 3.5 million merchants. This includes passports, Aadhaar Cards, PAN Cards, selfies, other photograph proofs.
MobiKwik unequivocally denied all such allegations. In a statement company said, “Some Media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.” Further the company said it would pursue legal action against cybersecurity researcher Rajaharia over the claims in his tweet.
Increasing cases of Data Breach
The number of data breaches in India has been rising over the last two years. In November,2020, BigBasket had filed a complaint with the Cyber Crime cell in Bengaluru to verify claims of data leak made by cybersecurity intelligence firm Cyble that a hacker had put up the online grocer’s data for sale on the dark web for over $40,000. In May, 2020 Unacademy had also disclosed a data breach that compromised the accounts of 22 million users. Zee 5 was also breached, leaking data of 9 million users. A hacking group had reported a breach to India’s critical information infrastructure, while a report claimed that China had sponsored the Mumbai blackout. The MHA had recently stated that India had suffered 12 lakh cyber security related incidents in 2020.
Bipin Preet Singh and Upasana Taku founded the company in 2009. Initially it worked as digital wallet, but later shifted to Fintech that offers multiple Financial Services including credit, insurance, gold loans. MobiKwik raised (approx.) INR 223 Crore ($29.56 million) from investors like Sequoia Capital, American Express, Bajaj Finserv and others.
What can you do about it?
The Information Technology Act, 2000, provides for a Computer Emergency Response Team (CERT-IN). The Act mandates the organisation with the task of collecting, analyzing, and disseminating information on cyber security incidents. Further, organisations must report any incident of unauthorized access of IT systems/ data.
Any individual affected by the incident may also report it to the CERT-IN. Subsequently, CERT-IN would seek information regarding the incident from the affected organisation. The organisation would in turn disclose the details of the incident, report the issue to its users, and the mitigating measures it has taken. However, in case the organisation fails to comply, Section 70B(7) provides for an imprisonment up to one year or a fine of Rs. 1 lakh, or both.
Update: 31.03.2021 (12:15pm)
Medianama reported that the hacker/hacking group that set up a website to showcase user data that was stolen from MobiKwik’s server has the deleted the database from their servers. Medianama had previously visited the website through the Onion Router and verified the database for their personal information using their names, emails and phone numbers and found that data on that website is accurate.
However by late on the night of 30th March,2021 the hacker had pulled the database from their website stating, “MobiKwik data is deleted on our servers. All users safe!“
According to RaidForum ,they had a long conversion with the hacker who goes by the name ninja_storm, and they have deleted all the data and two backups of data from all their servers including small copies of the data. It seems that the hacker initially ought to blackmail the company and promised to delete the data once paid, but they eventually decided not to pursue that strategy.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.