Forensic audit into the data leak did not find unauthorised access, MobiKwik DRHP

Forensic audit following MobiKwik’s data breach in March 2021 has revealed that there has been no unauthorized access, however, the company’s process has limitations, according to the draft red herring prospectus (DRHP) filed by MobiKwik on July 12.

In March 2021, security researchers flagged that KYC data of over 3.5 million Indians had been compromised and claimed that it was the largest data leak in history.  The massive breach reportedly included KYC details of 3.5 million people and phone numbers, email, hashed passwords, addresses, bank accounts and card details of close to 10 crore users. This data was available for sale on the dark web for anyone who could pay 1.5 bitcoins, which is equal to $88434 (Rs 62,63,110).

While the company denied these claims, it launched a forensic audit over the data leak.

In the DRHP, the company said, “…in March 2021, certain media reports alleged an unauthorised breach of our data security systems and gaining wrongful access to personal and financial data of our users. Following such media reports, we engaged an independent digital forensic audit expert to conduct an audit relating to these allegations.”

The forensic audit expert, the report said, analysed the logs/ data provided to them, and revealed that there was no unauthorised access from outside the company’s infrastructure or internally to the database server wherein customer data is stored, during the review period.

“The report however states certain limitations to the processes undertaken, including virtual walk-through of our systems, not analysing employee devices and that the review was based on logs made available by us and certain non-mandatory logs were not available for the audit,” the report said

Apart from the incident in March 2021, over a decade ago in 2010, a hacker had gained unauthorized access to our operating systems that had resulted in certain disruption in our operations, the company said.

“Any such actual or perceived breach of our security could interrupt our operations; result in our systems or services being unavailable; result in improper disclosure of or access to data resulting in legal or financial exposure and loss of user confidence and reputation; and adversely affect our business and results of operations.

Similarly, certain vulnerabilities or breaches of network or data security at our merchants, partners or users could have similar effects and could mistakenly be attributed to us, which could also adversely affect our business, prospects, financial condition and results of operations,” the company said.