Mobikwik and the incident reporting conundrum
The incident:
Data of more than 100 million users of Mobikwik was allegedly available on the dark web. The people who posted it claimed that it had personal KYC (Know Your Customer) information. It also contained government identifications like the PAN card and Aadhar card. The details were available on a dark web link and could be accessed by anyone with a Tor browser. As expected, there was a lot of buzz about the biggest leak of all time in India! Read a detailed article about it here:
When we started looking at it, we found that the dark web link existed, but the hackers claimed to have deleted the data. They even left a snide remark that said people will believe it when there is no ‘statistical raise’ in misuse.
The Response:
On the 30th of March, at 3.16 pm, the CEO of Mobikwik, put out a tweet denying the incident.
The same response is also available on the Mobikwik website:
https://blog.mobikwik.com/message-from-the-company/
How not to communicate a breach(or potential breach):
The response by Mobikwik warrants a detailed analysis as it has many learnings for CISOs and PR teams on how to handle a data breach or an alleged data breach.
In the first paragraph of the response, Mobikwik said that they were an Indian company and were regulated and fully compliant to the applicable data security laws. They went on to say that they followed security compliances such as PCI-DSS, CISA (?) and ISO 27001:2013. They also mentioned that they have a bug bounty programme. This is definitely reassuring to people.
However, they then said that ‘some users have reported that their data is visible on the dark web’. Then they went on to say that users could have uploaded their data on multiple websites and that the data could be from any of those sites. They claimed that it did not directly point to Mobikwik.
This was shirking away responsibility.
A hacker allegedly posted data that claimed to be of Mobikwik users and the reaction from Mobikwik was to say that the data could be from anywhere and not necessarily Mobikwik!
Some reputed people looked up their data and found it to be the same data that they had entered on Mobikwik, which is too much of a coincidence. Read more about it here:
https://the-ken.com/story/the-mobikwik-data-breach-that-wasnt/
(As an aside, do look up the interesting articles that The Ken does on cybersecurity and technology)
Then they said that the matter was reported to them a month ago and that they investigated it at the time and found no breach, but now they will investigate it again!
They go on to assure the user who is worried about her KYC data that her account and balance are safe!!
If you dig a little deeper, you will see interaction between a security researcher by the name Rajshekhar Rajaharia and Mobikwik on this link:
Considering all this email communication, the defensive and evasive tone of the response by Mobikwik leave a lot to be desired in terms of incident response.
CISO Check:
We could not miss the CISO check for this one… :)
Responding to incidents (whether real or alleged) requires a different approach when it comes to large scale public data incidents. What you do matters more than what you say in your press release.
If you say that there is no breach, but you block the account of the person who reported the breach, then people are going to believe that there was a leak and it is being covered up.
Take care of the following things when responding to a publicised incident:
Have a documented plan and pre recorded messages and mails.
Commit to transparency during the entire process of investigation
Don’t shoot the messenger. Do not attempt to discredit the person who reported the breach. Get your house in order first and you will have all the time to legally pursue whatever courses of action you desire.
Don’t beat about the bush when communicating. No one cares if you have all the compliances in the world if they are suspecting that their data was leaked. Tackle the core issue first and then provide assurances.
Communicate often and provide updates.
Maintain a clear line of communication with relevant stakeholders (regulators, incident response teams, etc.) and jointly discuss the amount of information to disclose to the general public.