The Reserve Bank of India (RBI) has ordered an immediate forensic audit of Mobikwik, by a certified forensic auditor for the recent data breach allegations. It is alleged that over 8.2 terabytes of sensitive user data have been compromised from Mobikwik’s servers in the last few months.
Internet Security Researcher, Rajshekhar Rajaharia had first tweeted about the leak in February end. But the allegations went unnoticed. However, recently, the hacker(s) created a website that appeared on the dark web to demonstrate the hack’s authenticity. The website enabled the users to check if their MobiKwik data was leaked as part of the data dump. Since then, the database has been removed from the website.
Details of the Data Breach
As reported earlier, the database is approximately 8.2 TB in size and contains 36,099,759 files as well as KYC information for 3.5 million people. The database’s seller has built a dark web site where users can search by phone number or email address. The database is also available for 1.5 Bitcoin (roughly $85,000). The data dump is said to contain 350GB of MySQL dumps or 500 databases, 99 million email addresses, phone numbers, passwords, physical addresses, IP addresses, GPS Location and device-related data, and 40 million records of card numbers, expiration dates, and hashes. 7.5TB of merchant KYC data for 3.5 million merchants is also included in the data dump. This also includes information like Passports, Aadhaar cards, PAN cards, selfies, and other photo proofs.
Initially, the company had denied the allegations of the data breach. In a tweet, the company stated that “Some media-crazed so-called security researchers have frequently attempted to present concocted files, wasting valuable time of our organisation as well as members of the media, We conducted a systematic investigation and discovered no security flaws. Our users’ and company’s information is secure.”
MobiKwik, on the other hand, informed CERT-IN on March 1 that an unauthorized attempt to access its user-facing application programming interface was made, which had been thwarted. Unconvinced by the company’s assertion, CERT-IN recommended to the RBI that a forensic audit be conducted, according to the Live Mint, which cited anonymous sources.
As per the report, it seems that the company was indeed aware of the data breach. The screenshots from a conversation between a senior executive at MobiKwik and Amazon Web Services (AWS) on February 25, a day before the breach was announced shows the same.
On Tuesday, to be on a safer side, MobiKwik stated that it is possible that users uploaded their information to multiple platforms. As a consequence, it’s “incorrect to imply that the data available on the dark web was collected from MobiKwik or some other identified source.”
As per the statement, the company undertook a thorough investigation with the help of external security experts. The investigation concluded no evidence of a breach. He also stated that considering the seriousness of the allegations will get a third party to conduct a forensic data security audit.
While the company seems to be trying hard to sush the demands for a proper breach disclosure, Techcrunch reported that Mobikwik officials had asked an Amazon representative for logs relating to its cloud service after the company “came to know that our S3 data is downloaded by some other person outside the organization.” It has also stated that it would take strict action against the “so-called security researcher”.
On the other hand, Twitter had suspended Rajshekhar Rajaharia’s account temporarily, and LinkedIn has deleted his post related to the data breach. All of this indicates that the company has perhaps paid ransom to the hackers following which they have taken the database down, and is attempting hard to bury the issue. However, any such claim is unverified at the moment.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.