The security of sensitive consumer information has come under scrutiny in recent years due to the rising frequency of data breaches. One important event was the Mobikwik data breach, which let millions of users' private information slip. The large amount of data that was leaked in this breach has gotten a lot of attention and brought up important issues about privacy, regulations, and corporate responsibility. This article will look at the Mobikwik data breach from a legal point of view. It will talk about what happened to the company and the people who were affected, as well as the laws that apply to these kinds of breaches and what might happen to how businesses work in the future.
What is MobiKwik and its Data Breach?
When it first came out in 2009, MobiKwik quickly became a major player in India's mobile wallet and payment market. For example, you can use it to make digital payments, send money to other people, and even get loans and insurance. By 2021, MobiKwik had more than 101 million registered users, making it one of the biggest fintech companies in India.
The Breach Opens
A security researcher warned of a huge data theft in February 2021. According to him, MobiKwik's servers had been hacked by a group of hackers known as "Jordan Daven" and 8.2 terabytes of sensitive data were taken.
According to reports, dark web forums were selling the stolen data, which included names, email addresses, phone numbers, home addresses, GPS coordinates, and partial credit card numbers.
The leaked data also included Know Your Customer (KYC) documents for 3.5 million users, which contained sensitive identification data like Aadhaar and PAN card information.
These documents are very important for proving your identity in India, which is why their public availability is so scary.
Mobikwik's First Response
At first, MobiKwik denied the claims completely. Asserting that its data was safe, the company said the researchers' evidence was misleading. They said that users might have shared their data across platforms without meaning to, which is why it showed up in other places.
MobiKwik even said bad things about the security experts, calling them "media-crazed" and saying they were spreading lies.
New evidence comes in
Even though MobiKwik denied it, users and independent researchers found their personal information, including credit card numbers, on links on the dark web that were connected to the breach.
Elliot Anderson, a French cybersecurity expert who goes by the names "Robert Baptiste" or "Elliot Alderson," said it was "likely the biggest KYC data leak in history."
Actions by regulators
The Reserve Bank of India (RBI) stepped in when the breach got more attention. Their order was for MobiKwik to do a forensic audit. The RBI was not happy with the company's first response and warned it that it could be punished if it was found to have not properly protected user data.
The Forensic Check
The RBI put pressure on MobiKwik to hire a separate digital forensics expert to look into the breach. The audit found that no one else had been able to get into the company's database without permission while the investigation was going on. The audit did not cover all areas, though, as it did not look at some employee devices or logs that were not required.
Backlash from the public
The breach and MobiKwik's initial denial did a lot of damage to the company's reputation. Users lost faith in the platform, and a lot of them chose to delete their accounts. Concerns about how well fintech companies in India handle sensitive customer data were raised after the company messed up with the situation.
Carrying Out Investigations:
Because of the breach, MobiKwik could have been fined or faced other legal consequences if any security flaws were found during the audit. Experts criticized the company for not admitting to the breach sooner, saying that being honest could have helped fix its reputation.
Legal Implications
It is the Information Technology Act, 2000 (IT Act) and its rules, such as the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information (SPDI) Rules, that protect personal data in India.
To protect users' sensitive information from unauthorized access, disclosure, or modification, companies like Mobikwik are required by these regulations to put in place adequate security measures.
In addition to exposing personal data, the breach put users at great risk for identity theft, financial fraud, and phishing attacks.
Mobikwik might be breaking these privacy laws if the breach happened because they were careless or didn't put in place enough security measures. The company could also be held responsible for not protecting sensitive information according to the SPDI Rules, depending on the type of data that was made public.
Read to learn about Data Privacy As Al Human Right.
What can be done to stop future breaches?
Companies like MobiKwik need to adopt a proactive approach to data security in order to prevent such breaches from occurring in the future.
Strong encryption should be used: Protect sensitive data by encrypting it both while it's being sent and while it's being stored.
Regular checks for security: To find and fix vulnerabilities before they can be used against you, audit your systems on a regular basis.
Tighten Data Access Controls: Use strong authentication methods to make sure that only authorized people can get to sensitive data.
Follow the best ways to store data: Encrypt or tokenize data to keep it safe, and only keep the data that you need.
Summary
The MobiKwik data breach is a valuable lesson about how important it is for fintech companies to have strong data security and be open about their practices. In order to protect user data and maintain public's trust, companies must ensure strong security measures, respond quickly and openly to claims of breaches, and work closely with regulators.
Related Posts:
Mobikwik Data Breach: FAQs
Q1. What kind of data was breached in the Mobikwik breach?
Over 100 million users' sensitive information, including names, phone numbers, email addresses, and in some cases, transaction and payment data, was exposed as a result of this breach.
Q2. How did the Mobikwik data breach happen?
A hacker group is said to have caused the breach by getting into an unprotected database on Mobikwik's servers without permission.
Q3. Why might Mobikwik be in trouble with the law because of the breach?
Under the Information Technology Act of 2000, Mobikwik could be closely watched by regulators. It could also face fines and claims for compensation from users who were affected.
Q4. What can companies do to stop data breaches?
Strong encryption, regular security audits, and following industry standards for cybersecurity are all things that companies should do to keep sensitive data safe.
Q5. What changes will the Personal Data Protection Bill, 2019 make to data breaches?
Once the bill is passed, companies will have to tell the Data Protection Authority about breaches within certain time frames. If they don't, they may face harsher penalties.
