MobiKwik, which is backed by Sequoia Capital and Bajaj Finance, has faced growing criticism this week for denying a data leak many customers and digital rights activists say is linked to the firm’s database.
In the event of “lapses” the company could also face fines, according to the report citing unnamed sources, adding that “RBI was not happy with the company’s initial response”.
ET could not immediately verify whether RBI had taken up the matter with the company.
When contacted, a MobiKwik spokesperson told ET: “We take the privacy and security of our user data very seriously. We are working closely with requisite authorities to conduct an independent forensic audit.”
RBI did not respond to emails seeking comment, as of publishing this story.
The Gurugram-based fintech startup has denied the MobiKwik data leak even as several independent cybersecurity researchers flagged it as the biggest data breach in India’s corporate history about a month ago.
“The RBI has given MobiKwik an ultimatum and ordered them to retain an external auditor to conduct a forensic audit,” the person cited by Reuters said, adding that the central bank could also impose fines if the breach is proven.
In a statement released on Twitter, founder Bipin Preet Singh said that MobiKwik was not to blame for user information being available on the dark web as “users could have uploaded their information on multiple platforms.” Singh also said that an earlier audit of its systems had found no irregularities.
Dark web refers to that area of cyberspace where content cannot be searched using normal search engines because it is encrypted.
The nature and details of the alleged MobiKwik data leak were flagged by security researchers Technadu and Rajshekhar Rajaharia over a month ago.
Earlier, in a statement released on March 4, MobiKwik had accused the researchers that made the breach public of presenting “concocted files” as evidence.
Over 8 terabytes (TB) worth of personal user information such as email IDs, phone numbers, names, addresses, passwords, GPS locations, and data related to users’ mobile devices is believed to have been stolen from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark-web forums on January 20.
The personal data of merchants that have procured loans through Mobikwik have also reportedly been on sale in exchange for bitcoins. The leak is also believed to contain card numbers and hashes of over 40 million Mobikwik customers.
Founded in 2009 by Singh and Upasana Taku, MobiKwik counts the likes of Sequoia Capital and American Express as investors. The fintech platform is eyeing a public listing in the next financial year.