MOBIKWIK DATA BREACH – ARE CYBERSECURITY RESEARCHERS A BOON OR A BANE?

 

 

 

 

 

 

 

Authored By – Siddharth Jain[1]

OVERVIEW

With constant development in technology, the all-pervasive role internet has been playing in our lives and, most importantly, the limitations thrust upon us by the present pandemic, our dependence on digital payments, particularly, mobile payment platforms, has gone up several notches. Given the ease of operation they provide the users and the fact that payments could be, comfortably, made while on the move, mobile payments, now a days, are a norm rather than an exception. There are several mobile payment platforms currently operational in India, namely, Paytm, Samsung Pay, Google Pay etc. In addition to the foregoing, one more platform used by people is Mobikwik.

In view of the sensitive nature of operations conducted by these companies, it is imperative upon them to employ the highest level of security to protect the information provided by their users. However, last day of March, 2021 came as a rude shock to the users of mobile payment platforms when a news snippet in India Today[2] on 30th March, 2021 informed that the KYC details of about 35 Lakh users of Mobikwik are up for sale on dark web! The information included their personal details such as addresses, Aadhar card numbers etc. This information wreaked havoc among people because payment applications contain one of the most sensitive set of information. On 03rd April, 2021, another article was published in The Wire[3] which provided more details on the matter.

As per the news, one cybersecurity researcher, Mr. Rajshekhar Rajaharia, discovered the breach in Mobikwik’s database and duly intimated the company about the sale of its customers’ data on dark web. As was expected, Mobikwik ignored the information and vehemently denied the findings and maintained that there has been no breach whatsoever.

Thus far, things were within an understandable domain. However, circumstances took a nasty turn when indifference of the company forced the researcher to come out in the open and inform about the breach in public interest. It was then that Mobikwik opened multiple fronts against Mr. Rajaharia. It threatened him with legal action and called him by names like ‘media-crazed’ researcher. Since customers had found their details on sale by themselves, Mobikwik even discounted them and stated that they must have had their data leaked through other online platforms. In all fairness, company’s denials could have had some merit if claims of Mr. Rajaharia had not been supported by other cybersecurity researchers.

Mobikwik served legal notice on Twitter where the researcher had posted the information. Twitter complied with the notice and locked his account and forced him to take down his posts. Same fate was awaiting LinkedIn which was also forced to take down Mr. Rajaharia’s posts.

Thanks to the furore it caused in India, the hacker group, Ninja_Storm, deleted the data from their servers by 31st March, 2021 and assured that the users were safe but, by then, some damage had already been done, for, the data was already on sale since 26th March, 2021.[4] This is also to be noted that the number of accounts compromised could run much higher as the figures provided by publications vary. For example, Indian Express pegs the number of accounts at 10 Crores.[5]

While Mobikwik had been denying any sort of data breach and has been leaving no stone unturned to put the matter to rest, the Reserve Bank of India took cognizance of the matter and directed the company to conduct a thorough probe into the matter and, should the lapses be found, Mobikwik could face a penalty of a minimum amount of Rs. 5,00,000/- (Rupees Five Lakhs Only).[6] Information as regards the outcome of the probe is not available in public domain and, as such, author would refrain from commenting on the same.

 

CYBERSECURITY AND ETHICAL HACKING

We, normally, come across the term ethical hacking when it comes to company’s network security infrastructure. However, this is one of the constituents of the process of cybersecurity. As per Intellipaat, a global online professional training provider, cybersecurity consists of various computer security mechanisms, namely, data security, digital forensics, ethical hacking and so on and there are, primarily, 4 phases of cyber security:

  1. Identify: The process of identifying or understanding various cyber security risks on the system and data;
  2. Protect: Implementing appropriate protective measures to ensure the security of critical data;
  3. Detect: The process of detecting the occurrence of cyber security events;
  4. React: Taking appropriate actions for the detected cyber security events.[7]

Ethical hackers are supposed to hack into the system of the company, albeit, with permission to identify the lapses, if any. However, the job of a cyber security expert is to take protective measures to safeguard the network without hacking into the system.

Ideally, the process of ethical hacking or cyber security research is undertaken with the permission and knowledge of the organization under an agreement to that effect. When taken up in this fashion, the process is purely legal and has been opted for by the organization to strengthen its security infrastructure.

However, the problem arises when the organization is neither aware of the shortcomings nor is it ready to acknowledge the same if pointed out by an ethical hacker or cyber security researcher who identified the lapses without permission but reported them responsibly. This attitude only goes on to show that the organization is more concerned toward its own image rather than the interest of its customer.

 

LEGAL PROTECTION TO CYBERSECURITY RESEARCHERS

As stated above, when the company, itself, is hiring the services of a cybersecurity expert or an ethical hacker, the action is purely legal. However, there are cases where the company is not aware of the lapses in its system in the first place. In such cases, if an individual is undertaking these exercises without company’s permission, although with good intentions, he/she is, indeed, sailing in choppy waters.

When the companies, as in the case of Mobikwik, refuse to attend to the warning by cybersecurity researchers, they are often forced to come out in the open in the larger public interest. It is then that they become the target of threats and pressurization through court proceedings etc.

Indian law declares hacking or breaching into the system in any manner as illegal, per se. However, when it comes to ethical hacking or conducting a cyber security exercise bonafide, law is silent. Hence, although, it is, still, hacking, it remains to be a gray area. In the absence of any clear legal position on the subject, legality or illegality of the act would depend upon the peculiar facts and circumstances of the case and as to whether the organization takes it in good spirit and decides to act upon it accordingly and the approach of the Court.

It would not be out of place to mention that, in order for an act to fall within the ambit of Indian criminal law, it has to be tested on the touchstone of various tests, one of which happens to be the intention of the individual while the act was done. In view of the fact that the system breach was done for the benefit of the company, the hacker or researcher may have a potent defence in the Court.

It is imperative that cybersecurity researchers should be accorded a formal legal protection keeping in view the role they place. The debate as regards the same has been taking place the world over. However, Indian companies have been, rather, reluctant to incorporate the findings of researchers in good spirit. Coupled with the same, is the attitude of the system which is turning its back to the rising sun and is failing to recognize its importance. While the Personal Data Protection Bill was being drafted, this proposal was brought to the notice of Justice Srikrishna Committee. However, the Committee ignored the same and, instead, incorporated the provision of penalty for anyone even attempting to de-identify the data even when it is responsibly reported to authorities.[8]

 

CONCLUSION

Mobikwik matter has brought to the fore an issue of paramount importance in this age of technology. The digital world has always been, and will always be, vulnerable with the data always at risk. Howsoever tall an organization’s claims may be as regards its safety features, there always is that one entity which outsmarts and breaks through the defences. We have seen in the past that some of the most secure networks of some of the most sensitive organizations have been breached.

In 2017, India ranked 3rd among the nations which are most vulnerable to cyber attacks and was 2nd in terms of targeted attacks like spams and phishing emails etc. and it ranked 4th with 8% of global detection of ransomware. [9] Further, as per a report by NITI Aayog[10], by 2020, internet users in India were supposed to increase to 730 Million.

This exponential number, along with the fact that our network systems are one of the most vulnerable in the world, presents a very grim scenario. It is high time for the organizations across the spectrum to wake up and realize that if they do not respond to the call of the hour and strengthen their network securities, we are headed toward digital doom. As is evident from instances across the world that no network is safe and secure by default and it takes self-questioning to arrive at the answer. In this light that the role of professionals like ethical hackers and cybersecurity researchers become important. Even the organizations like the Central Intelligence Agency of the USA openly seeks services of cybersecurity researchers to harden their network defence.

It is only when all the arms of this complex web work together would we be able to arrive at a point where the privacy of data could actually be secure and sanctified. Till then, data security is but a abstract concept.

 

REFERENCES:

[1] About The Author – Co-founding Partner of PSL, Advocates & Solicitors, a New Delhi based full-service law firm. Although, relatively younger, PSL strives to provide impeccable service to its clients, which is evident from a constant list of awards and accolades:

  • Siddharth started the practice from Lucknow in 2006 and worked on both State and private sides of the practise.
  • He also worked with leading law firms Singhania & Partners and Fox Mandal in Mumbai and Bengaluru, respectively and contributed to their litigation practises before moving to Delhi.
  • He has a presence in all the fora – trial court till the Supreme Court – and practises in civil, commercial and corporate disputes.

[2] Ankita Chakravarty, Mobikwik data breach said to be the largest KYC leak, personal data of 3.5 million users up for sale on dark web, India Today, March, 30, 2021, https://www.indiatoday.in/technology/news/story/mobikwik-data-breach-said-to-be-largest-kyc-leak-personal-data-of-3-5-million-users-up-for-sale-on-dark-web-1784957-2021-03-30

[3] Srinivas Kodali, Mobikwik, Cybersecurity and a Tradition of Going After the Messenger, The Wire, April,03, 2021, https://thewire.in/tech/mobikwik-cybersecurity-and-a-tradition-of-going-after-the-messenger

[4] Mehab Qureshi, ‘All Data Deleted: Mobikwik Hackers Wipe Out Details After Breach, The Quint, March, 31, 2021, https://www.thequint.com/tech-and-auto/mobikwik-hackers-have-a-message-for-you-all-data-deleted

[5] Tech Desk, Mobikwik database of 10 crores users leaked on dark web; company denies data breach, Indian Express, April, 1, 2021, https://indianexpress.com/article/technology/tech-news-technology/mobikwik-database-leaked-on-dark-web-company-denies-any-data-breach-7251448/

[6] Reuters, RBI orders Mobikwik to probe alleged data leak: Report, Times of India, April, 2, 2021, https://timesofindia.indiatimes.com/business/india-business/rbi-orders-mobikwik-to-probe-alleged-data-leak-report/articleshow/81858618.cms

[7] Intellipaat, Cyber Security vs Ethical Hacking, October, 8, 2020, https://intellipaat.com/blog/cyber-security-vs-ethical-hacking-difference/

[8] Srinivas Kodali, Mobikwik, Cybersecurity and a Tradition of Going After the Messenger, The Wire, April,03, 2021, https://thewire.in/tech/mobikwik-cybersecurity-and-a-tradition-of-going-after-the-messenger

[9] PTI, India ranks 3rd among nations facing most cyber threats: Symentec, CIO, Economic Times, April, 05, 2018,

https://cio.economictimes.indiatimes.com/news/digital-security/india-ranks-3rd-among-nations-facing-most-cyber-threats-symantec/63621655

[10] Dr. V. K. Saraswat, Cyber Security, https://niti.gov.in/sites/default/files/2019-07/CyberSecurityConclaveAtVigyanBhavanDelhi_1.pdf

Leave a Reply

Your email address will not be published. Required fields are marked *