Mobikwik has toned down its sharp response to claims of what has been reported as the most important information breach of its type. After taking pictures again at impartial cyber safety researcher Rajshekhar Rajaharia in its preliminary response dated March 4, Mobikwik has now issued an announcement after an information dump on the darkish internet listed virtually 11 crore entries of personal and doubtlessly delicate consumer information, together with over 35 lakh KYC (Know Your Customer) paperwork in an 8.2TB database. Now, the corporate has highlighted the cyber safety requirements that it claims to observe, earlier than stating that it’s nonetheless investigating the information breach claims.
In its official assertion, a Mobikwik spokesperson acknowledged that the corporate is “subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long running Bugs Bounty programme.” The assertion additional denies the allegations of the Mobikwik information breach being, in truth, even originating from Mobikwik’s personal servers.
The remainder of the assertion reads, “Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.
“When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Mobikwik additional addressed its customers in its official assertion, saying, “All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number.” The response comes after a number of notable figures from the cyber safety group posted concerning the information breach, with some criticising the corporate for its lack of compliant responses to a seemingly extreme criticism.
At the time of publishing, the darkish internet database stays reside, regardless that search functionalities of the database have been disabled to stop malicious actors from misusing the sources, News18 may affirm.