India has been planning to ban cryptocurrency for the past few months by introducing a bill against it in the parliament citing concerns over its privacy and rise in unaccounted digital assets. This is seen as a rather surprising move as the country has for long advocated the usage of digital wallets and payment options by introducing its UPI-based payment interface, BHIM, in 2016. Following the suit, many private payment companies came up shortly and established themselves quickly. One such player is the digital payments company MobiKwik. Independent security researchers quoted in this story indicate that MobiKwik accidentally leaked data of 3.5 million users, which is now up for sale on the dark web for 1.5 BTC (approximately $84,000). CISO MAG cannot confirm this and is merely reporting what the researchers are stating.
KYC (Know Your Customer) is a verification process that allows an institution to confirm and thereby verify the authenticity of their customer. Certain identity details such as PAN number, Aadhaar number, addresses, email addresses, bank account numbers, and phone numbers are recorded to verify the identity and the address of the customer. KYC is a mandatory process for financial institutions in India, for onboarding new customers.
- The data leak was first reported by an independent security researcher Rajshekhar Rajaharia in February 2021.
- As per Rajaharia’s series of tweets, 11 crore Indian card holders’ data was leaked from a company server in India, and the initial leak contained 6 TB of KYC data and 350 GB of compressed MySQL dump.
- The findings were then updated and re-confirmed by another researcher going by the Twitter handle name “Elliot Anderson,” who shared the credit with another Twitter handle named “UnderTheBreach”.
- MobiKwik has however denied all such data breach claims and found no security lapses on their part.
MobiKwik Data Breach the Largest KYC Data Leak?
Rajaharia first raised the flag about this data breach on February 26, 2021. In a series of tweets, he presented details of when and what set of information was leaked.
Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
However, MobiKwik thwarted his claims stating, “We thoroughly investigated his allegations and did not find any security lapses.”
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n
— MobiKwik (@MobiKwik) March 4, 2021
But against the run of play, another user going by the name “Elliot Anderson,” on March 29, 2021, tweeted that MobiKwik’s data was indeed breached and the threat actor had subsequently created a forum on the dark web for its sale.
As per the forum image shared by Anderson, it is the “Biggest KYC data leak ever.” The threat actor has also given an option to the interested buyers to search phone numbers or any string as a proof-of-concept. The database though seems to be larger than what Rajaharia had noted. It is 8.2 TB in size and contains 36,099,759 files along with 99,224,559 users’ critical PII details, which include phone numbers, emails, hashed passwords, addresses, bank account, and card details, PAN and Aadhar Card numbers, etc.
As Rajaharia previously suggested in his tweet, we would like to reiterate the same, “Companies should take responsibility for users’ data strongly. There should be a data leak disclosure policy in place too.” Because hiding breaches only keep the customers vulnerable out in the open.
It would now be interesting to see MobiKwik’s stance on these findings. The ball is now in its court. Was it really a breach? Or was it just a data dump from some other breach? We will keep you informed.
MobiKwik Data Breach Update – March 31, 2021:
In view of the serious allegations placed upon them by their users and other security researchers, MobiKwik has confirmed that “it will get a third party to conduct a forensic data security audit.”
MobiKwik assured that “the company has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform.”
It reiterated that all of the customer data was safe and that no MobiKwik user accounts and/or wallets were affected due to the alleged incident.