The Internet Freedom Foundation, a New Delhi-based digital rights think tank, have asked the Indian Computer Emergency Response Team (CERT-IN) to initiate an enquiry into the reported MobiKwik data breach on March 31.
The Cert-IN is governed by the Ministry of Electronics and Information Technology (MeitY). MobiKwik has denied the allegations of data leak.
“In view of the massive data breach and the lack of an appropriate response from MobiKwik, we request you to initiate an inquiry over the reported data breach. Such an inquiry ought to require executives of MobiKwik to provide detailed explanations to your office,” Apar Gupta, Executive Director, Internet Freedom Foundation, said in a letter to CERT-IN.
The Section 70B (6) has provisions for such inquiry as it gives CERT-IN the power to call for information and give direction to the service providers, intermediaries, data centres, body corporate and any other person, the letter said.
The massive breach reportedly included KYC details of 3.5 million people and phone numbers, email, hashed passwords, addresses, bank accounts and card details of close to 10 crore users. This data was available for sale on the dark web for anyone who could pay 1.5 bitcoins, which is equal to $88,434.
Moneycontrol has independently verified the leak of some of the users, who had their personal information like email, address, mobile number leaked on the dark web.
The letter said that CERT-In must conduct a technical audit and call on MobiKwik to provide a substantive explanation on why such a breach has taken place; details of the breach including the number of users affected by the breach and the date and time on which the breach took place.
The company, the letter said, should inform each affected user of the extent to which the breach has impacted them, devised a strategy to remedy the situation, and permit an independent agency to conduct a forensic data security audit and publish their findings.
It has also asked for the company to recall threat to the cybersecurity researcher who exposed the data leak first in February.
A MobiKwik spokesperson said in a statement on March 30 that the company has undertaken a thorough investigation with the help of external security experts and did not find any evidence of a breach. “The company is closely working with requisite authorities on this matter and considering the seriousness of the allegations, will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the spokesperson said.