Here is what happened
Popular Indian mobile payments service MobiKwik came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web for sale.
What got leaked?
MobiKwik’s response to this breach
MobiKwik has continued to deny the allegations, releasing a lengthy statement refuting claims that user data is available on the dark web.
The company says it has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long-running Bugs Bounty program, where ethical hackers report security issues that are immediately fixed.
Even though Mobikwik has denied this leak, there are several reasons to believe that a breach was made. Several Mobikwik users have claimed on twitter that their data is present in the leaked database with the screenshot of the leaks.
The ongoing battle between the platform and the researcher leaves Mobikwik users with uncertainty and confusion. Even though the matter will be investigated over the next few days, the users are advised to update their Mobikwik account with new passwords. They should also update passwords to email addresses, set up two-factor authentication (2FA), including OTPs and fixed passcodes, wherever possible.
What’s the best security strategy against such focused cyber-attacks?
The number of data breaches in India has been rising over the last two years. In November, BigBasket filed a complaint with the Cyber Crime Cell in Bengaluru to verify claims made by cybersecurity intelligence firm Cybele that a hacker had put up the online grocer’s user data sale on the Dark Web for over $40,000. In May, Edutech startup Unacademy had also disclosed a data breach that compromised the accounts of 22 million users.
According to the national cybersecurity agency, cyber attacks have surged from 53,117 in 2017 to 208,456 in 2018, 394,499 in 2019, and 11,58,208 in 2020.
The cyber-crime landscape is evolving so fast that it’s a matter of time for a hacker to invade and exfiltrate business-sensitive data. If they can’t directly infiltrate the business, they are attacking through third parties.
Traditional security strategies are proving insufficient against targeted attacks.
Sumeru recommends the below steps:
For over 20 years, Sumeru has been helping businesses to prevent breaches, simulate attacks, monitor security, stay compliant, and get secured with 40+ security offerings.
Reach out to [email protected] to know more.