Home DATA PRIVACY Security Researchers Call Out MobiKwik for KYC Data Leak

Security Researchers Call Out MobiKwik for KYC Data Leak

The breached database is worth 8.2 TB and contains the KYC details, including hashed passwords and bank account and card details of 3.5 million MobiKwik users. However, MobiKwik though has denied all claims of a data breach.

SHARE
data breach, Aptoide Android App Admits Data Breach, Suspends Sign-Up Option Temporarily

India has been planning to ban cryptocurrency for the past few months by introducing a bill against it in the parliament citing concerns over its privacy and rise in unaccounted digital assets. This is seen as a rather surprising move as the country has for long advocated the usage of digital wallets and payment options by introducing its UPI-based payment interface, BHIM, in 2016. Following the suit, many private payment companies came up shortly and established themselves quickly. One such player is the digital payments company MobiKwik. Independent security researchers quoted in this story indicate that MobiKwik accidentally leaked data of 3.5 million users, which is now up for sale on the dark web for 1.5 BTC (approximately $84,000). CISO MAG cannot confirm this and is merely reporting what the researchers are stating.

KYC (Know Your Customer) is a verification process that allows an institution to confirm and thereby verify the authenticity of their customer. Certain identity details such as PAN number, Aadhaar number, addresses, email addresses, bank account numbers, and phone numbers are recorded to verify the identity and the address of the customer. KYC is a mandatory process for financial institutions in India, for onboarding new customers.

 Key Highlights 

  • The data leak was first reported by an independent security researcher Rajshekhar Rajaharia in February 2021.
  • As per Rajaharia’s series of tweets, 11 crore Indian card holders’ data was leaked from a company server in India, and the initial leak contained 6 TB of KYC data and 350 GB of compressed MySQL dump.
  • The findings were then updated and re-confirmed by another researcher going by the Twitter handle name “Elliot Anderson,” who shared the credit with another Twitter handle named “UnderTheBreach”.
  • MobiKwik has however denied all such data breach claims and found no security lapses on their part.

MobiKwik Data Breach the Largest KYC Data Leak?

Rajaharia first raised the flag about this data breach on February 26, 2021. In a series of tweets, he presented details of when and what set of information was leaked.


However, MobiKwik thwarted his claims stating, “We thoroughly investigated his allegations and did not find any security lapses.”


But against the run of play, another user going by the name “Elliot Anderson,” on March 29, 2021, tweeted that MobiKwik’s data was indeed breached and the threat actor had subsequently created a forum on the dark web for its sale.

MobiKwik data breach, Elliot Anderson tweet
Image Credit: Elliot Alderson Tweet

As per the forum image shared by Anderson, it is the “Biggest KYC data leak ever.” The threat actor has also given an option to the interested buyers to search phone numbers or any string as a proof-of-concept. The database though seems to be larger than what Rajaharia had noted. It is 8.2 TB in size and contains 36,099,759 files along with 99,224,559 users’ critical PII details, which include phone numbers, emails, hashed passwords, addresses, bank account, and card details, PAN and Aadhar Card numbers, etc.

As Rajaharia previously suggested in his tweet, we would like to reiterate the same, “Companies should take responsibility for users’ data strongly. There should be a data leak disclosure policy in place too.” Because hiding breaches only keep the customers vulnerable out in the open.

It would now be interesting to see MobiKwik’s stance on these findings. The ball is now in its court. Was it really a breach? Or was it just a data dump from some other breach? We will keep you informed.

MobiKwik Data Breach Update – March 31, 2021:

In view of the serious allegations placed upon them by their users and other security researchers, MobiKwik has confirmed that “it will get a third party to conduct a forensic data security audit.”

MobiKwik assured that “the company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform.”

It reiterated that all of the customer data was safe and that no MobiKwik user accounts and/or wallets were affected due to the alleged incident.

Related News: