Some industry groups that propagate internet freedom and cybersecurity have written to the Indian Computer Emergency Response Team (CERT-IN), the nodal agency in the country to deal with cybersecurity threats, to enquire into the reported data breach of users of payments platform Mobikwik.

Several cybersecurity researchers have reported over recent days of an alleged data breach of as many as 100 million Mobikwik users, though the company has denied the claim.

The Internet Freedom Foundation (IFF) on Wednesday said it has written to CERT-IN asking them to initiate an inquiry over the alleged data breach of Mobikwik users, and to ask executives of MobiKwik to provide detailed explanations to their office as per the Information Technology Act, 2000. The Free Software Movement of India has also asked CERT-In to carry out an investigation into the incident.

"India is witnessing one of the most significant data breaches in history. Users, security researchers and news organisations have reported that data of 10 crore Indians, including their passport details, addresses and phone numbers, is available for sale on the dark web. As per press reports, the data was in the custody of MobiKwik, which provides a mobile-based payment system. While MobiKwik has denied the data breach, independent security researchers and Indian Express have verified that details of MobiKwik users are available on the dark web. We have written to the Computer Emergency Response Team (CERT-IN) asking them to initiate an inquiry over the data breach in terms of Section 70B(6) of the Information Technology Act, 2000," IFF said in a social media post.

" In the letter, we have highlighted the concerns we have raised above and requested CERT-IN to conduct an inquiry into the data breach and conduct of MobiKwik, and require executives of MobiKwik to provide detailed explanations to their office in terms of Section 70B(6) of the Information Technology Act, 2000. We are hopeful that an enquiry by CERT-IN may compel MobiKwik to act responsibly and even provide compensation to its users as per Section 43A of the Information Technology Act, 2000," the post said.

Cybersecurity researcher Rajashekhar Rajaharia, who earlier this year also highlighted the Juspay data breach, had flagged the alleged data leak of Mobikwik users on February 26.

Rajaharia has said that the hackers have put up 8.2 TB of sensitive data of Mobikwik users on sale on the dark web, with an asking price of 1.5 Bitcoins. Bitcoin price in India as of Tuesday was Rs 42 lakh based on the quotes on Indian crypto exchanges. The data allegedly includes KYC data including Aadhar data of 36 million users, card data of 40 million users, and mobile and email data of 100 million users.

In a social media post on Tuesday, the company said that it had investigated the matter but did not find a breach.

"Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source," the company statement read.

Mobikwik also said in its post that it will conduct a forensic data security audit.

"When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit."

(Edited by : Abhishek Jha)

First Published:Mar 31, 2021 6:46 PM IST