Up to 100 Mn Mobikwik users have had their data leaked, but the IPO-bound fintech company has buried its head in the sand with denials
Besides ridiculing independent security researchers, Mobikwik CEO also shifted the blame on users, saying they could have themselves leaked the data
Like Mobikwik, Indian startups have a woeful track record in dealing with major cybersecurity incidents and this needs to change if India is to capitalise on the tech revolution
“That didn’t happen.
And if it did, it wasn’t that bad.
And if it was, that’s not a big deal.
And if it is, that’s not my fault.
And if it was, I didn’t mean it.
And if I did, you deserved it.”
This is ‘The Narcissist’s Prayer’. Unfortunately, its origins are shrouded in mystery, but it is often quoted on internet forums and social media as a warning or merely a reminder that there is no winning against a narcissist. This week, we are singing it — deadpan — for MobiKwik, the company ambitiously going for an IPO this year.
More than 100 Mn MobiKwik users are said to be impacted by a recent data leak, but the company has denied it. The database, being sold on the dark web, not only contains personal and financial details of individual customers but also details of merchants that have procured loans from the company. First spotted by independent cybersecurity researcher Rajshekhar Rajaharia earlier this month, the database contains records of 11 Cr (110 Mn) MobiKwik users, a whopping 8.2 TB of data.
Despite corroborations from other corners about the data leak, MobiKwik has continued to deny any breach, with CEO Bipin Preet Singh also laying the blame on users. Which brings us to the point about narcissists.
MobiKwik In Denial Mode After Leak
For all intents and purposes, tech companies are narcissists. More than anyone else, they are the biggest believers in their ‘vision’. Criticism rarely makes a ripple on the surface of tech companies, if at all they register it in the first place — because in their eyes, who cannot love this company?
While stoicism or turning into a grey rock might eventually help people break through to other narcissists, tech companies are a different breed. For this species, the only narrative is the one they have set; reality be damned!
So, when the massive data leak at MobiKwik set cybersecurity alarm bells ringing in India once again, one could predict the company’s response from a mile away. That is because it is a page from the tried-and-tested denial playbook that most Indian startup founders seem to have on their desks.
While video and photographic evidence points to more than 100 Mn MobiKwik users being impacted by this leak, the company has gone on the offensive, denying the claims. It has not only said that the leaks did not come from the company’s database but also ridiculed independent cybersecurity researchers, the tech community at large and its users in its various responses.
After the token denial statement, the company also said it would take legal action against the researcher that exposed the leak. This is about as tone-deaf a response as one has seen from an Indian startup regarding data privacy. To add to this, CEO Singh shifted the blame on users in a carefully manicured statement on Twitter. The CEO then proceeded to block several critics, including prominent tech industry personalities, who had replied to the tweet, questioning the claims.
It would be hard to see this response coming from any company, let alone one that is looking to go for an IPO later this year and raise money from the public. In what good faith should investors back such a company that is gaslighting users and the information security community with its statements?
The company has even sent takedown requests to Twitter to remove the tweets highlighting the data leaks. As Rajaharia posted, the social media platform has notified the affected users but has not deleted the tweets at the moment.
But like we mentioned above, MobiKwik is just following what others did. In the game of startups in India, the players rarely deviate from the norm — opting for obfuscation and stalling instead of owning up to a critical vulnerability.
If MobiKwik has issued a denial that seems crazy and launched a cashback promo in response to the allegations, BigBasket, Juspay, LimeRoad, Zee5 and others have also denied leaks in the past or refused to divulge information about the extent of the breaches.
- Around 1.29 Mn customer records of the ecommerce platform LimeRoad were posted on the dark web for sale in July last year.
- Earlier this month, Zee5 suffered a data breach that left the sensitive data of 9 Mn users exposed.
- In January, we reported that over 20 Lakh credit score records with Delhi-NCR-based fintech startup Chqbook were leaked on the dark web.
But these companies all denied any data breach whatsoever.
So, the question is: What gives startups and tech platforms the temerity to respond in such a lackadaisical manner?
Is it because of the scale achieved by these companies despite no signs of profitability for years? When sustainability will be on the line and when the competition will be breathing down their necks and looking to consume them, will these companies still stick to such brash statements?
There is another major problem with Singh’s statement. It begins with the line, “Mobikwik is Truly Indian Payments App,” before delving into more tokenism. Coming at a time when the Made-in-India credentialism of apps is high on everyone’s radar, this opening gambit reeks of trying to score brownie points from some sections of social media.
Instead of taking responsibility from the get-go and calming users’ fears, the statement begins with delusions of grandeur and only addresses users directly in the very last paragraph. Everything that preceded it was about managing the company’s public image and not directly addressing what many call the biggest data leak in Indian tech history.