RBI Examines IPO-Bound MobiKwik’s 100 Mn Data Breach

IPO-bound digital payments platform MobiKwik, which was involved in a massive data leak earlier this year, is still under scrutiny by the Reserve Bank of India even as it inches closer to its public offering. 

An RTI filed by cybersecurity researcher Srinivas Kodali revealed that the RBI has taken cognisance of the data breach and is examining the forensic report submitted by the startup. 

MobiKwik was alleged to have been hit by a data breach involving more than 100 Mn users earlier this year. The leaked data is said to impact Mobikwik’s customers as well as the merchants that have procured loans from the company.

The leaked database contained user records for 11 Cr Mobikwik users with a whopping 8.2 TB of data. The sellers of the database had set up a dark web portal where anyone could search the impacted users by their phone number or email ID. The database was put up for sale for 1.5 Bitcoin (or roughly $85K).

The data dump was said to contain 350GB of MySQL dumps or 500 databases, 99 Mn email, phone, passwords, physical addresses, IP address, GPS location and device-related data, as well as 40 Mn records of card numbers, expiry dates, card hashes (SHA256 encrypted).

Post reports of the breach, MobiKwik cofounder and CEO Bipin Preet Singh said that MobiKwik cannot be blamed for the data leak and said that there is a possibility that users uploaded their information on multiple platforms leading to the leak. 

He added that MobiKwik would get a third party to conduct a forensic data security audit. The RBI had also ordered the company to conduct a third-party audit of its systems. However, as revealed in the RTI response, the inquiry is still ongoing. 

Following the incident, MobiKwik filed its IPO prospectus in July this year and is seeking to raise INR 1,900 Cr through the public market. The startup is issuing fresh shares worth INR 1,500 Cr and an offer for sale worth INR 400 Cr. SEBI approved MobiKwik’s IPO earlier this month.

In its IPO filings, the startup had allayed fears about the data breach saying that forensic audit experts found no evidence of unauthorised access. The company claimed, “The forensic audit expert subsequently reported that based on the analysis of logs/ data provided to them, there was no unauthorised access from outside of our company’s infrastructure or internally to the database server wherein customer data is stored, during the review period.”  

While the company has claimed that the audit has revealed no discrepancies, it remains to be seen whether the RBI concurs.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.