Mobikwik has toned down its sharp response to claims of what has been reported as the biggest data breach of its kind. After shooting back at independent cyber security researcher Rajshekhar Rajaharia in its initial response dated March 4, Mobikwik has now issued a statement after a data dump on the dark web listed almost 11 crore entries of private and potentially sensitive user data, including over 35 lakh KYC (Know Your Customer) documents in an 8.2TB database. Now, the company has highlighted the cyber security standards that it claims to follow, before stating that it is still investigating the data breach claims.
In its official statement, a Mobikwik spokesperson stated that the company is “subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long running Bugs Bounty programme.” The statement further denies the allegations of the Mobikwik data breach being, in fact, even originating from Mobikwik’s own servers.
The rest of the statement reads, “Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.
“When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Mobikwik further addressed its users in its official statement, saying, “All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number.” The response comes after multiple notable figures from the cyber security community posted about the data breach, with some criticising the company for its lack of compliant responses to a seemingly severe complaint.
At the time of publishing, the dark web database remains live, even though search functionalities of the database have been disabled to prevent malicious actors from misusing the resources, News18 could confirm.