MobiKwik is said to be India’s No 2 player in the mobile wallet space in India and amongst the 3 players in the payment gateway industry. It has a network of over 3 million direct merchants and 140+ billers and 107 million plus users recording over 1 million transactions per day.
Unfortunately the Company seems to have been hit by a huge data leak and a data base containing sensitive personal data of over 3.5 million users seems to have been made available on the dark web.
The massive breach reportedly included 36,099,759 files. Apart from this, the 8.2 TB data comprises 99,224,559 user phone numbers, email, hashed passwords, addresses, bank accounts and card details.
The entire data base is available for ale by payment of 1.5 BTC (equivalent to around 84000 USD or nearly Rs 60 lakhs). The entire data package includes
1) Total 350GB MySQL dumps: 500 databases.
2) 99 million data — mail, phone, passwords, addresses, etc.
3) 40 million — 10 digit card, month, year, card hash, etc.
4) Company data.
5) Over 7.5 TB of 3 million Merchant KYC data, including passports, Aadhar cards, pan cards etc.
To place the record straight, the Gurugram based company has denied the data leak and the website of the company does not give any disclosure of the same. Some are saying that the data leak may not be from the company.
The leak is said to be of the KYC data and questions are being raised about the Information Security status of the company. From the 1st of April, RBI is introducing new rules for card payments. This new rule will require an additional authentication for recurring transactions using credit cards, debit cards, UPI or prepaid payment instruments. The rule of additional authentication will apply to payments upto Rs 5000 and payments above this limit will require OTP. Further ,half yearly audits from Cert empaneled auditors may also be required to be conducted by them.
Many star up companies are not happy with the RBI restrictions and would like greater freedom to collect and use personal data without any obligations of securing Cyber Crimes or data protection.
This data breach is a reminder to these Fintech companies that they require to substantially improve their security measures. Some Fintech companies ensure that they are PCI DSS compliant and MobiKwik also may be holding the necessary certificate. But we must appreciate that PCI DSS is meant to safeguard only a small part of the information which need to be secured. ISMS with ISO 27001 certification would have provided better security though it is not focussed on protecting the personal information.
It is possible that MobiKwik might not have initiated specific measures for compliance of Section 43A of ITA 2000 and is answerable to the Cert In for the data leak. Had there been a Data Protection Authority under PDPA of India, then the issue would have escalated into a huge fine and questions would have been asked if MobiKwik has adequate Cyber Insurance to keep itself financially stable. The company is said to be planning an IPO during this year and this data leak would become a necessary disclosure in the prospectus unless the IPO is postponed for some time.
This is a typical instance of a Fintech Company being ignorant and negligent of Indian laws such as ITA 2000 and it is essential that the industry wakes up now before the more stringent Data Protection law comes into existence.
When such personal data is lost, the kind of harm that can be caused to the data principals is a matter of interest to the Privacy watchers. The harm could be loss of money or loss of opportunities etc. In a recent data breach in Royal Dutch Shell which was hit by a ransomware gang, extortionists leaked the worker’s passport and Visa scans online apart from the corporate data such as invoices etc. What such data leaks would cost to a company when the Data Protection Authority is assessing the damage for imposing a fine would be of interest.
The data protection professionals of FDPPI are undertaking an academic exercise to evaluate the financial damage that may occur to a company in such cases.