Biggest KYC data breach in History


Gurgaon-based Mobikwik is a payment app allowing users to perform transactions online and maintaining a mobile wallet. The company had even started offering small loans to its users from 2016 inwards, thus requiring KYC details of the users

New Delhi | Jagran Technology Desk: Sensitive information including KYC details, addresses, phone numbers, Aadhar card data, and other details of around 3.5 million users of payment app Mobikwik was allegedly up for sale on the dark web, claimed a security researcher on Monday. Many users of the app also reportedly spotted their personal information on the dark web link circulated on the internet.

According to a report by TechNadu, independent security researcher, Rajshekhar Rajaharia, first spotted the data breach in February. At that time, the security researcher had said that 6 TB KYC data and 350GB compressed Mysql dump was allegedly leaked from a company’s Server in India. “11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed MySQL dump,” he had said.

‘biggest KYC data breach in history’

The TechNadu report further stated that the sensitive information including email ids, phone numbers, passwords apps installed, phone manufacturer, IP address, GPS locations, and other details of users was leaked and the seller has set up a portal on the dark web, where anyone can search by phone number or email ID to get the specific information out of the total 8.2 TB data.

Meanwhile, another security researcher had posted screenshots of the data breach of Mobikwik on Twitter and termed it as the ‘biggest KYC data breach in history. However, the payment app, Mobikwik, had denied the claims by Rajshekhar Rajaharia, but on Monday, a link from the dark web, consisting of the data, had reportedly surfaced on the internet. Some users had even reportedly claimed to see their personal information on the link and posted screenshots on Twitter.

As per reports, the data was being sold for 1.5 bitcoin or about $86,000. However, the company has repeatedly denied claims of the data breach. A spokesperson of Mobikwik, as quoted by TechNadu, said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”