MobiKwik, an IPO-Bound Unicorn, Investigated by the RBI for a Data Breach

More than 3.5 million MobiKwik users' personal data may have been compromised, according to reports.

MobiKwik, an IPO-Bound Unicorn, Investigated by the RBI for a Data Breach
MobiKwik, an IPO-Bound Unicorn, Investigated by the RBI for a Data Breach | Image credits: The Indian Express

In response to a recent access to information petition, the RBI stated that the company has provided a forensic audit report outlining the data breach. The petitioner wanted to know where the investigation stood and how it was being conducted, according to The Hindu Business Line.

Internet security expert Rajshekhar Rajaharia initially discovered the leak in late February 2021, when 37 million files containing the KYC documents of 3.5 million people were made public. Another 100 million phone numbers, email ids and credit card details were also exposed, along with geolocation data.

When it comes to telling individual customers, Srinivas Kodali, an independent researcher and privacy rights campaigner, says it's of no concern to the RBI. The RBI ensures that banks and payment processors repay money if fraud occurs as a result of a data breach. Because they believe they have no legal need to notify those whose data has been compromised, they refuse to do so. MobiKwik was able to get away with not telling customers because of the lax enforcement of the legislation. It took the RBI reaching out to MobiKwik before they finally submitted their report to the regulator, as well. Due to a lack of data privacy legislation, no independent inquiry has been conducted to yet.

According to MobiKwik, an independent digital forensic audit specialist confirmed that there was no unauthorized access from outside the organization

MobiKwik’s draft red herring prospectus (DRHP) filed in July 2021 mentioned, “We engaged an independent digital forensic audit expert to conduct an audit relating to these allegations. The forensic audit expert subsequently reported that based on the analysis of logs/ data provided to them, there was no unauthorised access from outside of our Company’s infrastructure or internally to the database server wherein customer data is stored, during the review period. The report, however, states certain limitations to the processes undertaken.”

Using their data, the hacker had built a search engine with 10 crore credit card and debit card records, Rajaharia stated to the court. The whole transaction history of the user might be accessed simply by dialing the phone number. Information about high government officials and IPS officers was also included in the stolen documents. It was on display for all to see. MobiKwik would have sued me for defamation if the claims were true.