After MobiKwik received widespread criticism over the alleged breach that caused data leak of over 3.5 million users, the company has again denied the allegation. In its statement, MobiKwik said that it is a ‘Truly Indian Payments App’ that is currently being used by 100 Million Indians and built by 350 Indians. MobiKwik claimed that it takes data security very seriously and “is fully compliant with applicable data security laws.”
A note to our users. pic.twitter.com/J3WRM0Ko8v
— Bipin Preet Singh (@BipinSingh) March 30, 2021
MobiKwik detailed out data security measures it takes
In the statement, MobiKwik said that it has robust internal policies and information security protocols. It follows stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. “These include annual security audits and quarterly penetration tests to ensure the security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long-running Bugs Bounty program, where ethical hackers report security issues which are immediately fixed,” they added.
The indirect blame on users
In the statement, what everyone found bizarre was the fact that MobiKwik tried to blame the users. It said some users have reported that their data is visible on the dark web. Though they are investigating the matter, “it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
Netizens did not take the blame lightly criticized MobiKwik further for its stand. Sunny Nehra, Admin at Hacks And Security, said, “So in short you meant to say the users are responsible for this data leak and not MobiKwik. Well, the #mobikwik account creation date of users match with that in leaked data. The name convention of files, other info (like phnumber@ nocash. MobiKwik. com) all is coincidental.”
So in short you meant to say the users are responsible for this data leak and not @MobiKwik
— Sunny Nehra (@sunnynehrabro) March 30, 2021
Well the #mobikwik account creation date of users match with that in leaked data.
The name convention of files, other info (like phnumber@ nocash. mobikwik. com) all is coincidental 🤷♂️🙏 https://t.co/Y7IabVSVWu
While talking to OpIndia about the leak and the statement issued by MobiKwik, Nehra said Indian companies should start accepting the mistake rather than blaming their users, directly or indirectly.
“The intimidation can work once or twice, but in the long run, it will hurt the company itself,” he said. Nehra said MobiKwik is a perfect case study to learn how not to handle data breaches or acknowledgment of breaches. “Denied the breach even after evidence, threatened the security researchers who brought it to light and blaming the users or victims whose data got leaked,” he added.
S Vaibhav asked If MobiKwik is blaming its users to save themselves from the breach?
CEO, @MobiKwik ,”It is entirely possible that any user could have uploaded her/his information on multiple platforms.”
— S Vaibhav (@_therealvaibhav) March 30, 2021
Why a user will upload their information on different platforms?
Is @MobiKwik is blaming its own users to save themselves from the breach?#CyberSecurity https://t.co/cViBfZ7cFC
Several other users showed their amazement over the blame-shifting by MobiKwik.
How cute! Play the nationalism card and shift the blame from yourself and on to the users. https://t.co/VsfKKhl2T6
— inhsorisms (@inhsorisms) March 30, 2021
🇺🇸 we’re sorry, we will do everything to help you
— Akhil Arora (@akhil_arora) March 30, 2021
🇮🇳 no breach, users ki galti hai https://t.co/5hBoBVGH0V
Blame your customers and further advise them not to open anon links. Definitely a sound strategy!! https://t.co/oeypXOb31I
— Ramya Krishna Puttur (@Ramya_Puttur) March 30, 2021
MobiKwik will get a third party forensic data security audit
In its statement, MobiKwik further added though they could not find any data breach when the issue was first reported, keeping the seriousness of the allegations in mind, they will get a third party to conduct a forensic data security audit. “Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit,” they said.
‘The accounts and balances are safe’ claimed MobiKwik
Claiming that the company is committed to a safe and secure Digital India, MobiKwik said that all the accounts and balances on the platform are entirely safe. “All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number,” they added while urging people not to open anonymous or dark web links as they could jeopardize users’ cyber safety.
If the breach happened, MobiKwik should come out clean
As the company has mentioned, it is planning to get a third-party audit, which can be seen as a welcoming step. However, the current stand and recent statement by the MobiKwik officials are adding more doubt to the minds of already panicked customers. When we are talking about millions of users, such a data breach cannot be taken lightly. MobiKwik should have got the third party audit at the time when it was reported the first time.
In our previous report, we mentioned that reports suggest the hackers have claimed that they are in contact with the company, and the sale was on hold for the time. Instead of throwing the users under the bus, MobiKwik could have skipped blame-shifting and end the statement to mention that they are getting a third-party audit.