Data breach allegations: MobiKwik forensic audit gets moving on RBI order

Payments firm says working closely with requisite authorities to conduct independent audit

As controversy around the alleged data breach at payments firm MobiKwik rages on, the Reserve Bank of India (RBI), it is learnt, has asked the Gurugram-headquartered firm to get a third-party forensic audit done through an auditor approved by the cyber incident arm of the government. 

According to a person aware of the matter, MobiKwik has been in touch with the Computer Emergency Response Team (CERT-In) on the matter. CERT-In is the nodal agency responsible for dealing with cyber incidents, under the Ministry of Electronics and Information Technology (MeitY). 

The alleged breach is believed to have compromised data of 3.5 million users of MobiKwik, exposing their know-your-customer (KYC) documents such as addresses, phone numbers, Aadhaar card, PAN cards and so on. 

While denying that data had been leaked, MobiKwik had on Tuesday said in a blog post that it was "working with requisite authorities" on the issue.

"Based on the forensic report, the RBI will conduct its own investigation in the matter,” said the person who asked not to be named. The central bank will then determine the future course of action, the person added.

According to this person, MobiKwik has also spoken to CERT-In on the issue. Mobikwik, the source added, checked the records in its database against a leaked data sample shared by CERT-In and told the agency that the leaked data did not belong to the payments firm. 

When contacted by Business Standard, a Mobikwik spokesperson said, “We take the privacy and security of our user data very seriously. We are working closely with requisite authorities to conduct an independent forensic audit.”

CERT-In, meanwhile, did not respond to queries by Business Standard on the matter.

The allegedly leaked documents, posted on the dark web on Monday, claimed to have 8.2 terabytes (TB) of data. To put this in perspective, according to some estimates, one TB can hold about 500 two-hour-long movies, or 250,000 photos taken with a 12MP camera or 500 hours of high-definition video (see box).

Legal remedies inadequate

India does not have breach disclosure norms, which complicates the issue of this particular alleged breach. "India does not have a specific legislation dealing with cases of user data breach or penal actions relating to those,” said Salman Waris, head of TMT and IP Practice at TechLegis Advocates & Solicitors. “The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches, has been pending in the Lok Sabha since 2019."

In the absence of specific legislation, the Information Technology Act of 2000 and the IT intermediary Rules made in 2011 provide some form of data protection but are "wholly inadequate," Waris added.

In a letter addressed to the public grievance officer at CERT-In, digital liberties organisation Internet Freedom Foundation (IFF) said on Wednesday: "In our opinion, CERT-In must conduct a technical audit and call on MobiKwik to provide a substantive explanation on why such a breach has taken place; details of the breach including the number of users affected by the breach and the date and time on which the breach took place; inform each affected user of the extent to which the breach has impacted them; devised a strategy to remedy the situation; and permit an independent agency to conduct a forensic data security audit and publish their findings."

If it is proved that data was indeed breached, MobiKwik can be held liable under Section 43A and Section 79 of the IT Act. CERT-In can ask for information from the firm under Section 70B(6) of the IT Act.

Meanwhile, IFF has also called upon MobiKwik to withdraw the threat of legal action against the cyber security researcher who uncovered the alleged breach.

The leak was first reported in February by security researcher Rajshekhar Rajaharia. The company had denied it at the time. Rajaharia said his Twitter account was locked earlier on complaints by MobiKwik for leaking personal data, and his LinkedIn account was also impacted. He said similar action was taken on his account on Wednesday, with Twitter temporarily locking some of the features of his account.