Forensic Audit of MobiKwik Ordered

Written by

A forensic audit of India’s largest independent mobile payments network has been ordered following an alleged data breach.

Reports that data in the care of MobiKwik had been leaked online began circulating on social media in February. Earlier this week, a website on the Darknet appeared to show that 8.2 TB of data had been exfiltrated from the company.

On March 30, the hacking group Jordandaven claimed to have stolen a MobiKwik database containing 36 million files in which the Know Your Customer (KYC) identity verification data of around 3.5 million people was stored.  

Among the allegedly leaked data is 99 million customers’ phone numbers, emails, hashed passwords, addresses, and bank account information, and the details of over 40 million payment cards.

Jordandaven claimed that data belonging to MobiKwik founder Bipin Preet Singh and to the company’s chief executive, Upasana Taku, were contained within the leaked database.

MobiKwik has over 107 million users and more than three million merchants on its network. The company’s alleged hackers claim to have stolen 7.5 TB of KYC data related to those merchants.  

To ascertain the legitimacy of the hackers’ claims, the Reserve Bank of India yesterday ordered that a forensic audit of MobiKwik be carried out immediately by a CERT-IN (Indian Computer Emergency Response Team) third-party auditor.  

MobiKwik, which is based in Gurugram, has dismissed claims of a data leak as untrue. 

On Tuesday, a MobiKwik spokesperson said: "We are subjected to stringent compliance measures under PCI-DSS and ISO certifications which include annual security audits and quarterly penetration tests to ensure the security of our platform.

"As soon this matter was reported, we undertook a thorough investigation with the help of external security experts and did not find any evidence of a data breach.”

MobiKwik stated that it had contacted CERT-IN after the alleged data breach. After reviewing a sample of the allegedly leaked data, the company concluded that the data did not belong to them. 

The New Indian Express reports that MobiKwik previously contacted CERT-IN after discovering an unauthorized March 1 attempt to access its user-facing application programming interface associated with a payment link generated through its platform.

What’s hot on Infosecurity Magazine?