Indian payment app maker MobiKwik has denied its security has been breached, saying that if it's true, as has been claimed, that its customers' information has appeared on the dark web, then some other platform was totally responsible for that.
"Some users have reported that their data is visible on the dark web," reads a message from the company, dated March 30.
“While we are investigating this, it is entirely possible that any user could have uploaded her or his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
Claims that customer data had been siphoned from MobiKwik's systems by a miscreant emerged in early March in a tweet from security researcher Rajshekhar Rajaharia:
11 Crore Indian CardHolders data alleged leaked from @MobiKwik Server, Hacker claimed. It Seems hacker still have their data. Backup was alleged taken on 20Jan 2021. He claim to have mobikwik access since last 30 days. @RBI @IndianCERT Please look into this matter.#InfoSec #GDPR pic.twitter.com/tBS3U6Oqhw— Rajshekhar Rajaharia (@rajaharia) March 4, 2021
A day later, MobiKwik vigorously disputed the allegation:
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses. 1/n— MobiKwik (@MobiKwik) March 4, 2021
Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives. n/n— MobiKwik (@MobiKwik) March 4, 2021
Amid its denials and threats of legal action, MobiKwik said it investigated the possibility its systems had been compromised and customer records exfiltrated and leaked. "When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach," the biz wrote.
The company has declared itself “confident that security protocols to store sensitive data are robust and have not been breached.”
Indian Railways suffers unspecified security 'breaches in various IT applications'READ MORE
But not so confident that it won’t dig further. “Considering the seriousness of the allegations, and by way of abundant caution, [the company] will get a third party to conduct a forensic data security audit,” it wrote.
MobiKwik customers say a sample of the firm’s data remains online and for sale. It is said to be accessible via Tor though only intermittently as whatever server or infrastructure that hosts the haul struggles to meet demand from the curious and/or nefarious, or perhaps is only up and running at certain times.
Researchers and customers say the leaked data includes card numbers, the Know Your Customer number that Indian financial institutions use to identify investors, and possibly also India’s Aadhaar national ID number.
Troy Hunt, creator of haveibeenpwned.com, slammed MobiKwik’s handling of the alleged breach. “From what I’ve seen so far, they’re going all ‘Iraqi Information Minister’ on this,” he tweeted, after calling out the Indian company’s response as known-worst practice... ®