In the latest development on the alleged data leak from Mobikwik’s server, the hacker group has now claimed that it has deleted all the users’ data from its servers, and the users are now safe.
This comes after Mobikwik on Tuesday, 30 March, said they would initiate a forensic data security audit. “The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit,” a Mobikwik spokesperson had said on Tuesday.
This data breach is claimed to have been done by a group of hackers called the ‘Ninja_Storm’ who have been selling the ‘leaked’ data online since 26 March. According to a post by the hacker group, the data was being sold at 1.5 Bitcoins, which is nearly Rs 63 lakhs.
Hackers Respond
The site on darknet which was tuned into a data dump where users could check their leaked information has now been shut down. It has now been replaced with a message stating Mobikwik’s data has been deleted.
“All Mobikwik Data is deleted on our servers. All users safe,” reads the message on the website.
On the bottom of the screen, a message by the hacker group reads, “I have been told that I am single-handedly helping India to make better data regulations and to fine companies if they lose user data like GDPR. Didn't expect this outcome when we hosted this site”.
The hacker group on an online forum explained the reason behind deleting the data from their servers, “All of India is worried about this leak as is it has 99 million users and 3.5 million users’ KYC details. We had very long and deep conversations with some independent security researchers about the consequences if data is leaked or sold and decided we will delete all data from our end as MobiKwik is incompetent in that regard”.
‘We Are Not Ruthless’: Hackers
Speculation are rife that this data breach was done ahead of Mobikwik’s IPO launch to malign the company’s reputation.
Responding to this allegation, hackers said, “We are not as ruthless as all those news reporters whose only aim is to destroy the company and report anything without thinking about consequences and to destroy the company's IPO”.
IFF Backs Cyber Experts
Internet Freedom Foundation has put out a statement backing cyber experts, after MobiKwik threatened legal action against the cyber security researcher who uncovered the breach. “It must immediately be recalled. Policy reform is needed as cyber security researchers face threats of legal prosecution without legislative protection,” read the statement by IFF.
Earlier in the first week of March when cyber expert Rajshekhar Rajaharia revealed the alleged data leak on Twitter stating that the data of 11 crore Indians have been leaked through Mobikwik’s server.
Immediately, on 4 March Mobikwik called the researcher (without naming) ‘media crazed’ and said that the company will take action against him for maligning the brand’s reputation. However, IFF has demanded that such cyber experts should not face threats of any legal prosecution as “they ensure that problems are discovered and fixed and bad people do not end up with our personal data”.
IFF also demanded that payment platform Mobikwik offer an explanation on why such a breach took place, provide details including the number of affected users and the date and time of the breach, besides issuing a statement explaining steps taken to ensure that such a breach does not occur in the future.
“The statement by IFF is valid because we (cyber experts) are always threatened by companies when we reveal a data breach. We should be provided some legislative protection so that we can continue to do our jobs.”Rajshekhar Rajaharia, Cyber Security Expert told The Quint