Data of 10 Cr MobiKwik users breached, put for sale on dark web

Hyderabad: An alleged massive leak of private data of users of the digital payments company MobiKwik is sending shockwaves across as several cybersecurity analysts have estimated that the data of at least 10 crore Indian users has been compromised. The Gurugram based Fintech company initially denied the claims but has now launched an investigation into the data dump.

In the past few months, allegations of a data leak have been made by several researchers and analysts who alleged that the private data of MobiKwik users has been put up for sale on the dark web by hackers. This data leak contains KYC details, email ids, addresses, passport details, PAN card details, debit/credit card details and Aadhar card details of 10 crore users, making it the biggest data leak ever in India.

Rajashekhar Rajaharia, an independent security researcher was one of the first to identify this. “Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy (PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump,” he tweeted in February.

“Personal data of several high-profile Indian tech company founders were found in the compressed data dump,” Rajaharia told the Deccan Herald. On March 4, he tweeted about the leak and uncovered the severity of the dump. He also tagged the Reserve Bank of India (RBI) and the Computer Emergency Response Team (CERT-IN) to look into this matter.

MobiKwik however, denied the claims calling the researcher “media-crazed” and alleged that he published “concocted documents” to grab media attention. The company also tweeted saying that their internal investigation did not find any signs of data breach and stated that it is considering legal action against the researcher.

But in the past week, many security analysts and researchers corroborated Rajaharia’s claims including Robert Baptiste (Elliot Alderson on Twitter), who exposed the ownership of the Koo app.

Kiran Jonnalagadda, co-founder of the software company Hasgeek has shared that details of his credit card, which he did not authorise MobiKwik to save, were found in the dump. He also found that for people who have the MobiKwik app installed, more details like a list of apps on phone, GPS coordinates were also a part of the leak.

The Indian Express said that they were independently able to verify the claims and found that the data leak is real.

Due to mounting pressure, MobiKwik finally responded in a blog post saying that they are launching an investigation into the data breach.

“While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source,” read the statement.

The company also reiterated that the user accounts and balances are safe.

A hacker group named Jordandaven emailed the link of the database to PTI and said that they do not have any intention of using the data except to get money from the company and delete it from their end, reported the Firtspost. The hackers also shared the data of Mobikwik founder Bipin Preet Singh and CEO Upasana Taku from the database.

The company denied the claims saying that it is “subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.” Hackers, however, have made it clear that the database is of MobiKwik and uploaded pictures of QR codes and KYC compliance documents to the dump.

The Internet Freedom Foundation said in a blog post that they have written to the Computer Emergency Response Team (CERT-IN) asking them to initiate an inquiry over the data breach in terms of Section 70B (6) of the Information Technology Act, 2000.

Several Indian startups have suffered data breaches in the past. Mobikwik thus joins the likes of BigBasket, Koo, Unacademy, and JusPay, which were also high-profile targets for hackers.

In the absence of robust data protection laws, protection of users’ data and penalization would be impossible. The Personal Data Protection Bill, which is said to contain provisions dealing with such situations, has been pending in Lok Sabha since 2019.

With the absence of the Bill, experts say that the Information Technology Act of 2000 and the Information Technology Rules of 2011, which are currently from the data protection laws in India, are highly inadequate.

Karthikeya S has also contributed to this report