Paytm sent a cease and desist notice to Atlanta-based cybersecurity firm Cyble on September 4 for publishing a false, “defamatory” and “slander[ous]” report about a breach of Paytm’s database. Paytm completely denied all the claims that Cyble made in its report since “there have been so security lapses or gaps found in its [Paytm’s] eco-system [sic]”. It further claimed that this piece of “disinformation” has “completely disrupted and terrified” its customers. MediaNama has seen a copy of the notice. Livemint first reported the development.
In the cease and desist notice, Paytm has asked Cyble to remove the report, publish an apology and notice that the previous report was false, not publish any “defamatory” posts about Paytm, and give Paytm a written undertaking that Cyble will not “indulge” in such activities in future. Cyble has been given seven days to comply with the notice, failing which Paytm will initiate civil and criminal proceedings against the infosec company to claim damages for loss of reputation, goodwill and business. We have reached out to Cyble for confirmation.
The notice calls the Cyble report “completely baseless, false and disparaging”. It alleges that Cyble published this report “in haste” and “without even checking and verifying the authenticity of the information”.
Cyble had claimed that a known cybercrime group, called “John Wick”, used a backdoor in the Paytm Mall website and application to gain unrestricted access to the company’s entire databases, potentially compromising all Paytm Mall accounts. Cyble also claimed that the group had demanded 10 ETH (ether), a type of cryptocurrency equivalent to US$4,000, as ransom for the data.
In response to MediaNama’s queries, Beenu Arora, Cyble’s founder and CEO, had at that time said that they had reached out to Paytm via their social media channels since the two did not have a pre-existing relationship. We had asked Arora for the data of contact but had not received a response. A Paytm spokesperson at that time had said that Cyble had not got in touch with the company informing it about the alleged breach. They had also said, “This news is absolutely false, their has been no conversation and no ransom asked [sic].”