As the controversy around Mobikwik’s alleged data leak continues to linger on, the Reserve Bank of India (RBI) has taken notice of the matter and directed the Gurugram-based payments startup to get a third-party audit done through CERT-In (Indian Computer Emergency Response Team), the cybersecurity agency of the Indian government. Further, the payments company will have to submit the report to the RBI without any delays.
The development comes after a database of 110 Mn (11 Cr) Mobikwik users was leaked on the dark web in January 2021. The 8.2 TB of database included not only personal and financial details of individual customers but also details of merchants that have procured loans from the company.
According to a PTI report citing sources within the company, Mobikwik has been following the directive and has been in touch with CERT-In on the matter. The cybersecurity department had shared a data leak sample with Mobikwik, which concluded that the sample did not belong to them.
However, the company has admitted to the cybersecurity department that an unauthorised attempt was made on March 1 to access Mobikwik’s user-facing application programming interface associated with a payment link generated through its platform. The company had claimed that it had subverted the attempt, but CERT-in was unconvinced and later recommended that RBI conduct a forensic audit.
As per the PTI report, the hacker group named Jordandaven had shared the data of Mobikwik founders Bipin Preet Singh and Upasana Taku from the database as well.
Mobikwik, on the other hand, has continued to deny any breach, with CEO Singh also shifting the blame on users. The company has also said that the leak did not come from Mobikwik’s database and threatened to take legal action against the cybersecurity researcher Rajashekhar Rajaharia, who had first exposed the leak.
“Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from Mobikwik or any identified source,” Singh said in an official statement released on March 30. He also said that the company would conduct a forensic data security audit.
Amid the rising cybersecurity threats and breaches in India, the RBI has also been tightening its supervision norms over payments companies storing customer data. All the payment system operators (PSOs) will now have to submit detailed “compliance certificates” to the central bank twice a year from April 1, 2021, onwards. Along with this, the Indian PSOs will also have to submit board-approved system audit report (SAR) by CERT-empanelled auditors.