Having initially dismissed reports of the leak of 100 million customer files on the dark web, Indian payments processor MobiKwick has brought in external investigators to conduct a forensic data security audit.
The alleged leak was first exposed early last month by Indian security researcher Rajshekhar Rajaharia
11 Crore Indian CardHolders data alleged leaked from @MobiKwik Server, Hacker claimed. It Seems hacker still have their data. Backup was alleged taken on 20Jan 2021. He claim to have mobikwik access since last 30 days. @RBI @IndianCERT Please look into this matter.#InfoSec #GDPR pic.twitter.com/tBS3U6Oqhw
— Rajshekhar Rajaharia (@rajaharia) March 4, 2021
His posting received a ferocious response from MobiKwik, accusing him of concocting the data and threatening legal action, a reaction which led one commentator to accuse the firm of going 'all Iraqi general' on the reports
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n
— MobiKwik (@MobiKwik) March 4, 2021
A month on and MobiKwik admits that "some users have reported that their data is visible on the darkweb".
The firm says it undertoook an internal investigation when reports of the hack first surfaced but found no evidence of a breach of its systems.
In a statement on the latest developments Mobikwik says: "The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit."
The firm believes that stolen data from users may have been accessed from other third party sites: "It is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source."
