Upstox shows MobiKwik how to manage a data breach incident

Admitting to a data breach can help a company rebuild its reputation; flat out denial, if a company is at fault, can only harm it.

data breach leak security binary code network

Indian trading platform Upstox has openly acknowledged a data breach, weeks after another Indian company, mobile payment app MobiKwik, aggressively denied what a security researcher described as “probably the largest KYC data leak in history.”

Know-your-customer (KYC) data was at the heart of the Upstox data breach too. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft.

On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.

Upstox apologised to customers for the inconvenience, and sought to reassure them it had reported the incident to the relevant authorities, enhanced security and boosted its bug bounty program to encourage ethical hackers to stress-test its systems.

Independent security researcher Rajshekhar Rajaharia was first to report the Upstox data breach—and also the first to report that hackers on the dark web were selling data purportedly belonging to customers of mobile payment app MobiKwik.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)