MobiKwik reported that it conducted an investigation regarding data breach claims after finding out that a dark website alleged to have leaked the personal details of around 100 million MobiKwik users.
According to the Indian digital wallet company, it is unsure whether the data belongs to MobiKwik users. In a blog post, it noted that “it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
MobiKwik said it was partnering with authorities and was assured that its security procedures for storing sensitive information were “robust and have not been breached.” Also, a forensic cybersecurity audit will be conducted by a third party.
The website revealed that it has 8.2 TB of information from MobiKwik, including email addresses, transaction records, partial card numbers, phone numbers, and scrambled passwords.
Besides, the website stated to have “know your customer” (KYC) files of 3.5 million users. KYC files are government-issued Aadhaar cards or PAN IDs, with each visit displaying four random photos from the data storage.
In India, users need KYC files to use some services without restrictions. For example, local law mandates that a digital payment company allows transactions above a specified threshold per month.
The website has a searchable archive where people can search their contact number or email address to check the validity of the security hacking. In some instances, TechCrunch, an online newspaper, tried to test the data’s accuracy.
Moreover, it appears that a dealer on a famous cybercrime website is selling database access for $70,000, equivalent to 1.2 bitcoin.
Security researcher Rajshekhar Rajaharia informed MobiKwik about the suspected security breach, as per the TechCrunch report. MobiKwik said that it had undertaken a comprehensive investigation and found no proof of the incident.
Based on a screenshot obtained by TechCrunch, a representative from MobiKwik asked an official from Amazon for log files relating to the company’s cloud service. It had happened after the company “came to know that our S3 [cloud storage] data is downloaded by some other person outside the organization.”
The company’s legal team has promised to take “strict action against the so-called security researcher.” Rajaharia told TechCrunch that it is his right to confirm if his information is secure but he lacks the means to battle legal measures.
By responding to the data breach issue, MobiKwik said, “We are committed to a safe and secure Digital India.”