Kwik to deny a data breach, MobiKwik must move faster to address it


Tl;dr

India is witnessing one of the most significant data breaches in history. Users, security researchers and news organisations have reported that data of 10 crore Indians, including their passport details, addresses and phone numbers, is available for sale on the dark web. As per press reports, the data was in the custody of MobiKwik, which provides a mobile based payment system. While MobiKwik has denied the data breach, independent security researchers and Indian Express have verified that details of MobiKwik users are available on the dark web. We have written to the Computer Emergency Response Team (CERT-IN) asking them to initiate an inquiry over the data breach in terms of Section 70B(6) of the Information Technology Act, 2000. In this post, we point out the five steps MobiKwik must take to alleviate the situation.

Background

Over the past month, several users, independent security researchers and news organisations have reported that data - over 8.2 TB in size - of MobiKwik users has been put on sale over the dark web with an asking price of 1.5 Bitcoin which is approximately equal to INR 65 Lakhs. This data leak contains Know Your Customer (KYC) details, passport details, addresses, email ids, phone numbers and aadhar card details of around 10 Crore Indians and violates their right to privacy. The data breach follows a number of other data breaches that have affected Indians.

MobiKwik’s response

MobiKwik provides access to mobile based payment systems developed by the National Payments Corporation of India. The breach was first uncovered on 4th March 2021. MobiKwik responded by denying the breach and threatened to take legal action against the security researcher who uncovered the  breach and suggested that the researcher was ‘trying to grab media attention’. In the past few days, in wake of numerous reports verifying the data breach, MobiKwik released a blogpost where they again denied the data breach and have claimed that the breach could be because users ‘have uploaded their information on multiple platforms’.

MobiKwik’s denial, which shifts the blame upon users, must be taken with a pinch of salt. Independent researchers have indicated that a data breach has occurred. Indian Express has verified that details of MobiKwik users are available on the dark web. Other reports even suggest that MobiKwik has sought help from Amazon last month after they discovered that some person who did not belong to their organisation, downloaded their ‘S3 data’.

What we expect from MobiKwik

We believe that MobiKwik, like many Indian technology companies, need to do better given they are today driving global innovation. It is disappointing for MobiKwik, to dismiss reports of a data breach and also issue threats against a security researcher - both steps which are against the interests of its users. We think it is necessary for MobiKwik to immediately undertake the following five steps to alleviate the situation:

  1. Inform users: MobiKwik should individually inform each affected user of the extent to which the data breach has impacted them.
  2. Provide redressal to users: MobiKwik should devise and implement a strategy to provide adequate remedies to such users, including but not limited to compensation to the users in terms of Section 43A of the Information Technology Act, 2000.
  3. Fix accountability: MobiKwik should provide an explanation on why such a breach took place, provide details of the breach, including the number of users affected by the breach and the date and time on which the breach took place, and issue a statement explaining the steps taken to ensure such a breach does not occur in the future.
  4. Permit a third-party audit: The circumstances require that an independent agency conducts a forensic data security audit. We commend MobiKwik for making a public commitment to conduct it but it must be done independently through a firm of repute and its findings must be made public.
  5. Recall threat of legal action: As mentioned above, MobiKwik has threatened to take legal steps against the cyber security researcher who uncovered the data breach. As we have pointed out previously, cyber security researchers constantly face threats of legal prosecution even when they disclose data breaches in good faith. While there remains a need to provide legislative protection to such researchers, threatening researchers with legal prosecution is irresponsible. MobiKwik should immediately recall such threats especially since many users and other independent cybersecurity researchers have also claimed that a data breach has occurred.

Letter to Computer Emergency Response Team (CERT-IN)

In view of the massive data breach, violation of the right to privacy and the lack of a response by MobiKwik, we wrote a letter to CERT-IN. Under the Information Technology Act, 2000, CERT-IN is responsible for collecting, analysing, and disseminating information on cyber incidents and undertaking measures to handle cybersecurity incidents. In the letter, we have highlighted the concerns we have raised above and requested CERT-IN to conduct an inquiry into the data breach and conduct of MobiKwik, and require executives of MobiKwik to provide detailed explanations to their office in terms of Section 70B(6) of the Information Technology Act, 2000. We are hopeful that an enquiry by CERT-IN may compel MobiKwik to act responsibly and even provide compensation to its users as per Section 43A of the Information Technology Act, 2000.

Personal Data Protection Bill does not provide safeguards #SaveOurPrivacy

A broader policy ask also arises from this specific incident as we have highlighted it in the past with respect to data breaches by other entities, both public and private. Considering the frequency and the scale of such data breaches, Parliament must provide statutory protections to users whose rights are violated. As we have pointed out previously, the Personal Data Protection Bill, 2019 (PDPB) does contain several clauses relating to security and breaches. For example, Clause 25 deals with the breach of personal data. The clause states that in cases where a data breach may cause harm to the data principal, the data fiduciary must inform the proposed Data Protection Authority. However, the clause does not require the data fiduciary (in this case, MobiKwik) to inform the data principal (in this case, users whose data is now public). It is instead left to the Authority to decide: a) whether the data fiduciary must inform the data principal, b) the remedial action the data fiduciary must undertake, and c) the details of the data breach that can be made public.

In contradistinction to PDPB, a private member bill (the Personal Data and Information Privacy Code Bill, 2019) introduced by MP D. Ravikumar guarantees data subjects the right to be informed about any breaches of their personal information, and also asks organisations to designate privacy officers to ensure security compliance.

Currently, PDPB is being reviewed by a Joint Parliamentary Committee. A conversation around PDPB is the need of the hour and we have started a four-part series where we will talk about the need for a data law, the current bill’s provisions and loopholes, what good data bills actually look like, where accountability from authorities is needed, and what you can do to advocate for your rights.

Apart from providing statutory protection to data principals, a crucial aspect of data regulation is ‘data minimization’. The principle of data minimization involves limiting data collection to only what is required to fulfill a specific purpose. Cumbersome KYC processes result in companies having access to large amounts of data without necessarily having the ability to securely store such data.

Important Documents

  1. Our letter dated 31.03.2021 to the Indian Computer Emergency Response Team to conduct an inquiry into the data breach and conduct of MobiKwik (link)
  2. IFF post highlighting other recent security breaches (link)
  3. IFF post pointing out the security vulnerability of a website that provided for on-boarding services with BHIM (link)
  4. IFF post discussing the need to provide legislative protection to security researchers for responsible disclosures (link)
  5. Public Brief and Analysis of the Personal Data Protection Bill, 2019. (link)