Indian mobile payments company MobiKwik reportedly suffered a massive breach of user records this year that involved a hacker carting away the personal information of nearly a hundred million Indian citizens.
Earlier this week, security researcher Rajshekhar Rajaharia said he discovered more than 8.2TB of MobiKwik user data on a dark web site that included personal information of Indian citizens like names, phone numbers, email addresses, scrambled passwords, GPS locations, transactions logs, and partial payment card numbers.
According to Rajaharia, a hacker named Jordan Daven has claimed responsibility for breaching MobiKwik and uploaded the stolen data on a dark web forum in January. The sale of the massive data repository taken from MobiKwik has also been confirmed by French cyber security researcher Robert Baptiste aka ‘Elliot Alderson’.
The trove of stolen data, amounting to more than 8.2TB, has reportedly been put up for sale for 1.2 bitcoin which translates to roughly £51,402. The seller is claiming that they have the Know your customer (KYC) data of 3.5 million MobiKwik users and to prove that the data is genuine, have uploaded four random pictures of the raw data dump on the dark web site.
MobiKwik, which says its digital payments services are used by over 120 million people and 3 million merchants, has denied suffering any breach of customer records. Bipin Preet Singh, the company's CEO, took to Twitter and said that they investigated the matter when it was flagged by security researchers and could not find any evidence of any data breach.
“While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source,” Singh said.
TechCrunch, however, has accessed a screenshot which shows a a MobiKwik official requesting an Amazon representative to share logs relating to its cloud service after the company “came to know that our S3 [cloud storage] data is downloaded by some other person outside the organization.”
Commenting on the reported breach suffered by MobiKwik, John Pocknell, an expert in database management and senior marketing strategist at Quest, said that years of being able to spin up databases at the drop of a hat have led to a situation where many organisations don’t have a clear picture of what they need to secure; in particular, non-production databases that contain personal data, let alone how they need to go about securing it.
“The database ought to be an environment where organisations can have the most visibility and control over the data that they hold, and this type of breach should be one of the more easily avoidable.
“Organisations should ensure that only those users who need access have been granted it, that they have the minimum privileges necessary to do their job and wherever possible, databases should be placed on servers that are not directly accessible on the internet,” he added.