Upstox shows MobiKwik how to manage a data breach incident

Indian trading platform Upstox has openly acknowledged a data breach, weeks after another Indian company, mobile payment app MobiKwik, aggressively denied what a security researcher described as “probably the largest KYC data leak in history.”

Know-your-customer (KYC) data was at the heart of the Upstox data breach too. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft.

On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.

Upstox apologised to customers for the inconvenience, and sought to reassure them it had reported the incident to the relevant authorities, enhanced security and boosted its bug bounty program to encourage ethical hackers to stress-test its systems.

Independent security researcher Rajshekhar Rajaharia was first to report the Upstox data breach—and also the first to report that hackers on the dark web were selling data purportedly belonging to customers of mobile payment app MobiKwik.

Rajaharia said he first contacted MobiKwik on Feb. 25, after discovering a dark web forum user selling a trove of data 7TB that appeared to come from its system, including KYC data for millions of people with names, dates of birth, email addresses, phone numbers, Aadhaar identity card details, hashed passwords, and payment card and bank account information.

On March 1, Rajaharia tweeted details of the leak without naming the company, but when the hacker released a larger sample of data identifying the company on March 4, he named MobiKwik in a new tweet.

Rather than offer rewards, MobiKwik vociferously denied the claims of a data breach and accused its accuser of being “a media-crazed so-called security researcher” who repeatedly “presented concocted files” and wasted the company’s time.

“We thoroughly investigated his allegations and did not find any security lapses,” the company tweeted. “Our user and company data is completely safe and secure.”

In response, numerous MobiKwik users posted screenshots showing their personal information and card details in the database leaked by the hacker, and the hashtag #mobikwikdatabreach began trending.

Apologise and move on

Acknowledgement of an error and an apology aren’t always enough to restore a company’s reputation after a major security incident, but they can help.

When the NotPetya ransomware wiped its PCs and servers in 2017, global shipping line Maersk opted for radical transparency. As a result, it was able to call on its customers and suppliers for help in the weeks-long process of rebuilding its internal network, and has come through the incident with its reputation largely unscathed.

Not so Equifax, the credit checking agency that was hacked and suffered a massive data breach that same year. Company executives delayed acknowledgement of the breach, then fudged their response, misinforming and misdirecting people trying to find out whether they were affected. The CIO of one of Equifax’s divisions was sentenced to four months in prison after selling stock in the company before the breach became public. Equifax’s name still brings to mind the hack.

MobiKwik, meanwhile, behind its aggressive denials is cooperating with an official investigation. The Reserve Bank of India (RBI) has mandated a forensic audit to investigate the data leak in the wake of MobiKwik reporting the incident to CERT, Livemint reported on March 31.

A company spokesperson told CSO Online, “We are working closely with requisite authorities to conduct an independent forensic audit.”

A source confirmed that a CERT-empanelled audit committee is in charge of conducting the investigation and that it will take at least 3-4 weeks for the audit to conclude.

MobiKwik has said it’s likely that the leaked data came from different sources, such as other websites where its users might have shared their information. However, some users pointed out that the date they signed up with MobiKwik was also visible in the cache of leaked data, information they said could only have come from MobiKwik.

The company’s denials only served to bring more people out in public forums to present evidence they claimed showed that MobiKwik’s database was indeed compromised.

Sanjeev Gupta, former CEO of Digital India Corporation, revealed that he found details of three expired cards on his MobiKwik account and that sensitive information like credit card numbers, card verification code and expiration dates were accessible in the database put up for sale by the hackers, in addition to his email ID and mobile number. “I shudder to think for those who did full KYC using Aadhaar,” he added.

Other uses too reported that the leaked data contained details of cards they had provided to MobiKwik and subsequently deleted from their account. One user reported that he had removed some of his old cards from his MobiKwik account and later found them in the leaked database, another stated that he had deleted his card details and hadn’t used his MobiKwik account for two years, only to find his card details listed among the compromised accounts.

A hacker or hacker group going by the name ninja_storm was behind the sale of the data said to be from MobiKwik. A fairly new player in dark web forums, ninja_storm registered on the hacker marketplace RaidForums on February 8, 2021.

Rajaharia said that initially the hacker or hacker group only dealt in cryptocurrency and that they had access to AWS keys of major companies—both in India and overseas.

“I believe a lot of these keys were obtained through insiders when companies across the globe shifted to remote working. Companies have little visibility on applications being installed and websites accessed by their employees,” he said.

Rajaharia had written to India’s computer emergency response team (CERT) based on what he observed in hacker forums and warned them of the looming threat stemming from compromised AWS keys.