The Reserve Bank of India (RBI) has asked digital wallet firm MobiKwik to carry out a forensic audit without delay after allegations of data breach against the company. While MobiKwik has denied claims that sensitive data of millions of its users was leaked, independent cybersecurity researchers have alleged that a database containing KYC (know your customer) details of nearly 3.5 million users of MobiKwik is up for sale on the dark web.
Sources told PTI that the RBI has ordered an immediate forensic audit of the company's systems by a certified auditor.
On whether the RBI has ordered a forensic audit, MobiKwik stated, “We take privacy and security of our user data seriously and are working with authorities to conduct an independent forensic audit.”
Quoting a letter from the regulator, one of the sources told PTI that, "The RBI has asked Mobikwik to get a third-party forensic audit carried out at the earliest by a CERT-IN-(Indian Computer Emergency Response Team)-empanelled auditor and submit the report without any delay.”
Sources added that MobiKwik had contacted CERT-IN on the issue, which shared a data leak sample with the company. MobiKwik had concluded that the sample didn’t belong to them.
However, admitting that there was an unauthorised attempt on March 1 to access its user-facing application programming interface associated with a payment link generated through its platform, MobiKwik said the attempt was foiled. But CERT-IN was left unconvinced, and later suggested a forensic audit to RBI, the sources told PTI.
MobiKwik, on Tuesday, said that it takes its data security very seriously and is fully compliant with applicable data security laws. “The company is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure security of its platform,” said Bipin Preet Singh, CEO of MobiKwik.
“When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach,” he added.