wordpress blog stats
Connect with us

Hi, what are you looking for?

RBI orders forensic audit of MobiKwik after alleged data breach: Report

cyber crime

The Reserve Bank of India (RBI) has ordered a third-party forensic audit into the allegations that over 8.2 terabytes worth of sensitive user data was compromised from MobiKwik’s servers over the last few months. The Press Trust of India was the first to report the development that the RBI has ordered an immediate forensic audit of the company’s systems by a CERT-IN empanelled auditor and submit the report without any delay.

The initial reports that user data from MobiKwik had been accessed by a hacker first came about towards the end of February this year, however it went under the radar. That is until this week, when a website created by the hacker to showcase the authenticity of the hack appeared on the darkweb. The website lets user check if their data, stored by MobiKwik, was leaked as part of the data dump. The database has since been pulled down from the website.

  • Leaked database contains 8.2 TB worth of data
  • 36 million files containing KYC information belonging t0 3.5 million people
  • Around 7.5 TB worth of KYC data pertaining to over 3 million merchants on MobiKwik’s network.
  • Includes a total of 350 GB of MySQL dumps that include 500 databases
  • Contains 99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts and card details
  • Over 40 million card details, up to 10 digits, have also been leaked with month, year and card hash data

According to the report, MobiKwik contacted CERT-IN on the issue, which in turn shared a data leak sample with the company. MobiKwik denied that this data leak sample belonged to them, per the report. However on March 1, MobiKwik told CERT-IN that on March 1 there was an unauthorised attempt to access its user-facing application programming interface which was subsequently scuttled. Unconvinced by the company’s statement, CERT-IN recoemmended that the RBI call for a forensic audit, the report said citing unnamed sources.

Interestingly, it seems that MobiKwik was aware of security breach in February itself, prior to the first reports of the alleged breach. According to screenshots of a conversation between a senior executive at MobiKwik and Amazon Web Services (AWS) on February 25, a day before news of the breach was reported. The MobiKwik executive sought details from AWS on the logs for a S3 bucket it used which the company realised was being exploited by “some other person outside the organisation.”

On Tuesday, in a statement MobiKwik said that it is entirely possible that users could have uploaded their information on multiple platforms. Therefore, it is “incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”

“As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit.” — MobiKwik Spokesperson

Also Read

Advertisement. Scroll to continue reading.

Written By

Reports on banking, payments, fintech and crypto-curencies. Additional reporting on media regulations, data protection and other areas.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ