The Reserve Bank has asked troubled digital wallet firm Mobikwik, facing data breach allegations, getting a forensic audit done without any delay. Though the Gurugram-based firm has been claiming that its systems are secure and that there is no basis for the allegations of a data breach, a group of hackers on Tuesday said they accessed the personal and financial data of nearly 10 crore Mobikwik customers.
On Wednesday, sources in the know of the development told PTI that the RBI had ordered an immediate forensic audit of its systems by a certified auditor.
When contacted, an RBI spokesperson refused to comment.
Mobikwik refused to give a direct answer to a query on whether the RBI has ordered a forensic audit.
“We take privacy and security of our user data seriously and are working with authorities to conduct an independent forensic audit,” it said.
However, the sources said the RBI had asked Mobikwik to get the forensic audit done without any delay to ascertain whether there was a data breach or not.
The regulatory diktat comes after Mobikwik contacted CERT-IN on the issue, the sources said, adding that CERT-IN had shared a data leak sample with the company, which concluded that the sample didn’t belong to them.“The RBI has asked Mobikwik to get a third-party forensic audit carried out at the earliest by a CERT-IN-(Indian Computer Emergency Response Team)-empanelled auditor and submit the report without any delay,” one of the sources said, quoting a letter from the regulator.
However, Mobikwik had admitted to CERT-IN that on March 1, there was an unauthorized attempt to access its user-facing application programming interface associated with a payment link generated through its platform. But the attempt was scuttled, Mobikwik claimed, leaving CERT-IN unconvinced and later recommended to RBI for a forensic audit, as per the sources.
On Tuesday, PTI received an email from a hacker group named Jordandaven, a database of around 9.9 crores Mobikwik users’ personal information such as mobile numbers, bank account details, emails, and credit card numbers. Jordandaven has also shared that Mobikwik founder Bipin Preet Singh and chief executive Upasana Taku from the database.
Mobikwik, on Tuesday, denied the allegations saying they take data security very seriously and are fully compliant with all applicable data security laws.
“We are subjected to stringent compliance measures under its PCI-DSS and ISO certifications which include annual security audits and quarterly penetration tests to ensure the security of its platform.
“As soon this matter was reported, we undertook a thorough investigation with the help of external security experts and did not find any evidence of a data breach,” Mobikwik had said on Tuesday.
On 30 March, Mobikwik also updated its blog, saying, “The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
“For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card, or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any dark web/anonymous links as they could jeopardize your own cyber safety,” it added.
