The alleged data breach of 3.5 million users at IPO-bound fintech unicorn MobiKwik is under RBI’s scanner.

The company has submitted a forensic audit report detailing the data breach, the RBI said in response to a right to information (RTI) petition filed recently. The petitioner sought to know the status and understand the procedure of the investigation.

Srinivas Kodali, independent researcher and privacy rights activist who had filed the RTI, told BusinessLine , “The RBI doesn’t care about informing individual customers. If there is a fraud happening due to data breach, the RBI ensures that the banks and payment processors refund that money under a certain limit. They think they are not obligated to inform individuals whose data was affected due to these breaches. And since there are no strict laws, MobiKwik got away without informing customers. MobiKwik also didn’t submit their report to the RBI, until the regulator reached out to them. There has been no independent investigation so far due to lack of data protection laws.”

Digital forensic audit

While the company did not respond to queries from BusinessLine , MobiKwik’s draft red herring prospectus (DRHP) filed in July 2021 mentioned, “We engaged an independent digital forensic audit expert to conduct an audit relating to these allegations. The forensic audit expert subsequently reported that based on the analysis of logs/ data provided to them, there was no unauthorised access from outside of our Company’s infrastructure or internally to the database server wherein customer data is stored, during the review period. The report, however, states certain limitations to the processes undertaken.”

Search engine created

The data leak was first reported by internet security researcher Rajshekhar Rajaharia in late February 2021, wherein 3.5 million individuals KYC documents were exposed through 37 million files. Apart from that, 100 million phone numbers, email ids, passwords, geodata, bank account details and credit card data were leaked.

“The hacker had, in fact, created a search engine using their data, which had 10 crore credit card and debit cards data. Just by entering the phone number, one could get access to the entire transaction history of the user. The leaked data even included details of some of the senior government officials and IPS officers. It was out in public. If it was all false, MobiKwik would have filed a defamation case against me,” Rajaharia told BusinessLine .

In an interview with BusinessLine earlier this month, Upasana Taku, co-founder, chairperson and COO, MobiKwik said, “ Our public statement is very much out there on our social media profiles where we have denied any breach in the system and we had even appointed a forensic auditor to check it and they too didn’t find any breach.”