The Reserve Bank of India (RBI) has reportedly ordered Mobikwik to initiate an immediate forensic cyber security audit of the company’s data server infrastructure, according to reports. The update comes in the aftermath of what has reported to be one of the biggest data breaches of its kind, sending the cyber security community in a frenzy. However, Mobikwik, which is one of the bigger digital payments services in the country, has continued to deny the breach, while stating that it intends to undertake a self-imposed forensic cyber security audit of its servers. The instruction from RBI comes in line with this decision.
Earlier this month, cyber security researcher Rajshekhar Rajaharia brought to light that a massive database on the dark web dumped a massive amount of sensitive and identifiable user data. The latter contained entries of over 36 lakh KYC (Know Your Customer) documents, and additional user information including phone numbers, addresses and even credit card details belonging to almost 11 crore users. The 8.2TB database has remained accessible on the dark web since being reported, and the data in it was reportedly being sold to any interested party for 1.5 BTC. However, despite major figures of the global cyber security community talking about the breach, Mobikwik has continued to remain in denial.
In a press statement on the matter, a Mobikwik spokesperson stated, “While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from Mobikwik or any identified source. When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.
“The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Reports on the matter state that the RBI has instructed Mobikwik to undertake the cyber security audit via a CERT-In-empanelled security agency. The latter is believed to have shared a sample of the data that was leaked from the Mobikwik servers, following which the company has continued to maintain that the data breach in question does not directly link to them.
