Indian trading platform Upstox has openly acknowledged a data breach, weeks after another Indian company, mobile payment app MobiKwik, aggressively denied what a security researcher described as \u201cprobably the largest KYC data leak in history.\u201dKnow-your-customer (KYC) data was at the heart of the Upstox data breach too. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft.On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.Upstox apologised to customers for the inconvenience, and sought to reassure them it had reported the incident to the relevant authorities, enhanced security and boosted its bug bounty program to encourage ethical hackers to stress-test its systems.Independent security researcher Rajshekhar Rajaharia was first to report the Upstox data breach\u2014and also the first to report that hackers on the dark web were selling data purportedly belonging to customers of mobile payment app MobiKwik.Rajaharia said he first contacted MobiKwik on Feb. 25, after discovering a dark web forum user selling a trove of data 7TB that appeared to come from its system, including KYC data for millions of people with names, dates of birth, email addresses, phone numbers, Aadhaar identity card details, hashed passwords, and payment card and bank account information.On March 1, Rajaharia tweeted details of the leak without naming the company, but when the hacker released a larger sample of data identifying the company on March 4, he named MobiKwik in a new tweet.Rather than offer rewards, MobiKwik vociferously denied the claims of a data breach and accused its accuser of being \u201ca media-crazed so-called security researcher\u201d who repeatedly \u201cpresented concocted files\u201d and wasted the company\u2019s time.\u201cWe thoroughly investigated his allegations and did not find any security lapses,\u201d the company tweeted. \u201cOur user and company data is completely safe and secure.\u201dIn response, numerous MobiKwik users posted screenshots showing their personal information and card details in the database leaked by the hacker, and the hashtag #mobikwikdatabreach began trending.Apologise and move onAcknowledgement of an error and an apology aren\u2019t always enough to restore a company\u2019s reputation after a major security incident, but they can help.When the NotPetya ransomware wiped its PCs and servers in 2017, global shipping line Maersk opted for radical transparency. As a result, it was able to call on its customers and suppliers for help in the weeks-long process of rebuilding its internal network, and has come through the incident with its reputation largely unscathed.Not so Equifax, the credit checking agency that was hacked and suffered a massive data breach that same year. Company executives delayed acknowledgement of the breach, then fudged their response, misinforming and misdirecting people trying to find out whether they were affected. The CIO of one of Equifax\u2019s divisions was sentenced to four months in prison after selling stock in the company before the breach became public. Equifax\u2019s name still brings to mind the hack.MobiKwik, meanwhile, behind its aggressive denials is cooperating with an official investigation. The Reserve Bank of India (RBI) has mandated a forensic audit to investigate the data leak in the wake of MobiKwik reporting the incident to CERT, Livemint reported on March 31.A company spokesperson told CSO Online, \u201cWe are working closely with requisite authorities to conduct an independent forensic audit.\u201dA source confirmed that a CERT-empanelled audit committee is in charge of conducting the investigation and that it will take at least 3-4 weeks for the audit to conclude.MobiKwik has said it\u2019s likely that the leaked data came from different sources, such as other websites where its users might have shared their information. However, some users pointed out that the date they signed up with MobiKwik was also visible in the cache of leaked data, information they said could only have come from MobiKwik.The company\u2019s denials only served to bring more people out in public forums to present evidence they claimed showed that MobiKwik\u2019s database was indeed compromised.Sanjeev Gupta, former CEO of Digital India Corporation, revealed that he found details of three expired cards on his MobiKwik account and that sensitive information like credit card numbers, card verification code and expiration dates were accessible in the database put up for sale by the hackers, in addition to his email ID and mobile number. \u201cI shudder to think for those who did full KYC using Aadhaar,\u201d he added.Other uses too reported that the leaked data contained details of cards they had provided to MobiKwik and subsequently deleted from their account. One user reported that he had removed some of his old cards from his MobiKwik account and later found them in the leaked database, another stated that he had deleted his card details and hadn\u2019t used his MobiKwik account for two years, only to find his card details listed among the compromised accounts.A hacker or hacker group going by the name ninja_storm was behind the sale of the data said to be from MobiKwik. A fairly new player in dark web forums, ninja_storm registered on the hacker marketplace RaidForums on February 8, 2021.Rajaharia said that initially the hacker or hacker group only dealt in cryptocurrency and that they had access to AWS keys of major companies\u2014both in India and overseas.\u201cI believe a lot of these keys were obtained through insiders when companies across the globe shifted to remote working. Companies have little visibility on applications being installed and websites accessed by their employees,\u201d he said.Rajaharia had written to India\u2019s computer emergency response team (CERT) based on what he observed in hacker forums and warned them of the looming threat stemming from compromised AWS keys.