wordpress blog stats
Connect with us

Hi, what are you looking for?

, , , ,

MobiKwik still under RBI scanner after alleged data breach in February: RTI

The incident which allegedly compromised sensitive user data has continued to haunt the IPO-bound fintech unicorn.

MobiKwik, which allegedly suffered a data breach earlier this year, is still under the Reserve Bank of India’s scanner. The payment startup has submitted its third-party forensic audit report to the financial regulator and is being currently examined by the RBI, an RTI response revealed.

In the RTI filed by independent security researcher Srinivas Kodali and seen by MediaNama, RBI was asked regarding the action that has been taken in regards to the cyber security incident. RBI replied,”The forensic audit report submitted by the entity is under examination.”

Meanwhile, RBI also declined to disclose information regarding the number of security incident reports that it received in 2021. “As the disclosure of the requested information would impact customer confidence on payment systems thereby affecting the economic interests of the State, the same is exempt from disclosure under Sec 8(1)(a) of the RTI Act, 2005.”

Instances of data breaches leading to personal data being sold on the dark web are increasing year-on-year even as India’s Data Protection Bill is still in the works. Without a data protection authority, there is regulatory ambiguity in terms of who should respond to and investigate such breaches.

What exactly happened with MobiKwik?

In February, cybersecurity researcher Rajshekhar Rajaharia alleged that sensitive data belonging to millions of cardholders and users stored on MobiKwik’s servers was compromised and that it was put up for sale online. In April, PTI reported that RBI had ordered a third-party forensic audit into allegations of the data breach.

Advertisement. Scroll to continue reading.

The data dump, around 8.2 terabytes, allegedly included sensitive financial information of MobiKwik users and more:

  • 36 million files containing KYC information belonging t0 3.5 million people
  • Around 7.5 TB worth of KYC data pertaining to over 3 million merchants on MobiKwik’s network
  • Total of 350 GB of MySQL dumps that include 500 databases
  • 99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts, and card details
  • Over 40 million card details, up to 10 digits, have also been leaked with month, year, and card hash data

Forensic audit clearing MobiKwik came with a disclaimer

In July, MobiKwik in its draft red herring prospectus (DRHP), said it had taken cognisance of reports of a data breach.

Following such media reports, we engaged an independent digital forensic audit expert to conduct an audit relating to these allegations. The forensic audit expert subsequently reported that based on the analysis of logs/ data provided to them, there was no unauthorised access from outside of our Company’s infrastructure or internally to the database server wherein customer data is stored, during the review period — MobiKwik in its DRHP

However, there were some caveats. MobiKwik said that the forensic audit expert’s report was limited to —

  • Virtual walkthrough of its systems
  • Not analysing employee devices
  • Review was based on logs made available by the platform
  • Certain non-mandatory logs were not available for audit

“In addition to the recent incident, in 2010, when we were operating at a relatively smaller scale, a hacker had gained unauthorized access to our operating systems, which resulted in certain disruption in our operations,” the payments startup said.

Also read

Have something to add? Post your comment and gift someone a MediaNama subscription.

Advertisement. Scroll to continue reading.
Written By

Among other subjects, I cover the increasing usage of emerging technologies, especially for surveillance in India

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ