Tag Archive for: MobiKwik

Regulatory system needs a rethink after data breaches at Juspay and MobiKwik, say experts

/in


The fintech and startup ecosystem that has emerged in recent years has a major governance issue: data breaches and leaks are not taken seriously. Unfortunately, the regulatory system has not woken up to the fact that the recent data breaches at Juspay and MobiKwik can significantly cause harm to idle users in the future.

The Indian government is yet to introduce a Personal Data Protection Law (PDP Law) in Parliament at a time when incidents of data breaches and personal information being sold on the darkweb are increasing year-on-year. The lack of a Data Protection Authority and a Personal Data Protection Law means that there is regulatory ambiguity in terms of who should respond to breaches and investigate them. Industry experts told MediaNama that the entire regulatory system needs to be strengthened, business models need a rethink and that companies need to be made more accountable, whether through the courts or through internal governance practices.

1) CERT-IN is the primary agency for data breaches

According to legal experts, it is the Computer Emergency Response Team (CERT-In) — the nodal agency under MEITY for computer security incidents — that is the primary agency responsible to investigate data breaches and not the Reserve Bank of India (RBI)

According to Mathew Chacko, Partner at the law firm Spice Route Legal, any server compromise or breach needs to be disclosed to CERT-In (under the IT Act) regardless of the sensitivity of the data leak. “There are no two ways about reporting the incident to CERT-in,” Chacko said.

After reporting to CERT-in, it’s the company’s decision to report the incident to its customers and the public, he added. “Not all data breaches are significant enough to be reported to the public, but in some cases, companies take it for granted that the public need not know,” he said.

Advertisement. Scroll to continue reading.

The RBI only steps in when it comes to financial data, but data breaches fall within CERT-In’s ambit, NS Nappinai, a Supreme Court advocate and founder of Cyber Saathi said.

“Non-reporting of such data breaches carries heavy penalties for such incidents. But the issue is that organisations tend to be lax in…

Source…

Data of 3.5 m MobiKwik users allegedly hacked

/in


Personal details of 3.5 million MobiKwik users seem to have been leaked, according to independent cybersecurity researchers. The Gurugram-based fintech platform, however, denied any breach, saying its user and company data are completely safe and secure.

The breach was flagged by French cybersecurity researcher Elliot Alderson in a tweet on Monday. “Probably, the largest KYC data leak in history. Congrats MobiKwik,” he tweeted with a screenshot of the data leak. “This database is 8.2TB and contains 36,099,759 files,” the screenshot showed, adding that it contained KYC data of nearly 3.5 million people. It is reported to be up for sale on the Dark Web.

In a statement, MobiKwik said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”

The breach was initially flagged by Internet security researcher Rajshekhar Rajaharia in early March. In a tweet on March 4, he had said that this leak involves 11 crore Indian cardholders’ data, which were allegedly leaked from a MobiKwik server. Some users also confirmed that their data were available online.

“All my details including name, address, bank account details are there on the link shared by the independent researcher,” said a Chennai-based MobiKwik user. The allegation of a data breach comes even as MobiKwik is reportedly targeting an initial public offering before September to raise $200-250 million.

Data breach on the rise

The number of data breaches in India has been rising over the last two years. In November, BigBasket had filed a complaint with the Cyber Crime Cell in Bengaluru to verify claims made by cybersecurity intelligence firm Cyble that a hacker had put up the online grocer’s user data for sale on the Dark Web for over $40,000. In May, Edutech startup Unacademy had also disclosed a data breach that compromised the accounts of 22 million users.

According to the national cybersecurity agency, cyber attacks have surged from 53,117 in 2017 to 208,456 in 2018, 394,499…

Source…

Hackers allegedly leak data of 9.9 crore Mobikwik users in India, company rejects claim

/in




a person using a laptop computer: Hackers allegedly leak data of 9.9 crore Mobikwik users in India, company rejects claim

© Provided by Firstpost
Hackers allegedly leak data of 9.9 crore Mobikwik users in India, company rejects claim

Hackers have leaked the data such as mobile phone number, bank account details, email, and credit card numbers of 9.9 crore Indians allegedly of Mobikwik users, which the digital payments company has strongly denied. The disclosure about the data leak was made by cybersecurity analyst Rajashekhar Rajaharia who has also written to the Reserve Bank of India, Indian computer emergency response team, PCI Standards, and payment technology firms, etc.

A hacker group by the name of Jordandaven emailed the link of the database to PTI and said that they do not have any intention of using the data except to get money from the company and delete it from their end.

Jordandaven shared the data of Mobikwik founder Bipin Preet Singh and Mobikwik CEO Upasana Taku from the database.

When contacted, Mobikwik denied the claim.

The company’s spokesperson said that as a regulated entity, it takes data security very seriously and is fully compliant with applicable data security laws.

“The company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure the security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach,” the Mobikwik spokesperson said.

Hackers maintained that the database is of Mobikwik and uploaded several pictures of Mobikwik QR code along with documents used for ‘Know Your Customer’ compliance mainly the Aadhaar and PAN card.

Mobikwik said that it is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security…

Source…

FSMI demands probe into MobiKwik data breach

/in


Our Bureau

The Free Software Movement of India (FSMI) has asked the Indian Computer Emergency Response Team (CERT-IN) to initiate an inquiry into the alleged breach of data of about 10 crore users of Mobikwik.

Citing newspaper reports, the FSMI alleged that the KYC (know your customer) data of about 35 lakh users were also compromised. “The data is available on the dark web. Mobikwik being a digital wallet, the breach would expose its customers to cyber security attacks,” said the FSMI in its complaint.

The leak contains a database portion of phone numbers, e-mails, hashed passwords, addresses, bank accounts, card numbers and other KYC details. The size of the reported breach database is put at 8.2 terabytes.

“We ask for an investigation into this incident and update citizens on what has transpired at MobiKwik and what is happening with their data,” said the FSMI.

Source…