In what is said to be the biggest data breach in Indian History, data of 10 Crore Indian users of the Gurugram based Fin-Tech Mobile App, Mobikwik has been leaked. This data is said to include the personal details of users such as credit card numbers, passwords, names, email-IDs, phone numbers and other private sensitive data[1]. This data leak has been brought to light by several researchers, mainly Mr. Rajashekar Rajaharia and confirmed by a French based security researcher named Elliot Anderson, who claimed it to be the largest KYC data leak in history.[2] However, Mobikwik denied all such allegations of data breach. This database, amounting to 8.2 TB and consisting of sensitive personal information is said to have been stolen by a hacker who goes by the username ninja_storm and leaked on Dark Web Forums, which he was willing to sell at a price of 1.5 Bitcoin or 65 Lakh rupees[3]. He even provided proof by posting some of the data on his website. Mobikiwk again denied all these allegations of data leak in the dark web and said that considering the seriousness of the allegations they would conduct a forensic data security audit by a third party. Upon several requests he had deleted some accounts from the database, and agreed to delete all the data is Mobikwik publicly agreed that there had been a data breach[4]. RBI has however ordered Mobikwik to have a forensic audit done of their software and database.




Mobikwik in a statement released by it on it’s twitter page said that, the allegations of data breach are false and concocted[5] and this data can be stored by different applications used by the customer and does not necessarily indicate it to be of Mobikwik[6]. Further, Mobikwik has said that considering the seriousness of allegations and to take abundant caution, it would get a third party to conduct a security audit. They have also stated that they are cooperating with the authorities, in relation to this alleged data breach[7].




Mr. Rajesh states that he had informed Mobikwik about the alleged data breach when it initially came to light in January itself, but the company had rejected his claims and said they would take strict legal action against Mr. Rajashekar. According to him, as a user it is his right to know if his financial data was safe. He said that government authorities should thoroughly investigate the data leak immediately as it has wider ramifications that can potentially lead to several financial frauds. Full 16 digit card numbers might be unmasked because their encryption algorithm is public now.[8]




In India the Information Technology Act, 2000 is the primary legislation governing information technology and data protection. Every person and company are protected and are obliged to follow these laws.

Mobikwik can be sued under Section 43A of the IT Act, 2000[9]. It provides for payment of damages to an aggrieved person by a company or body incorporated for negligence in maintaining due security procedures. Further, if the alleged data leak is true, Mobikwik ought to have released a statement regarding it, so that the users could have blocked their bank accounts.

Further, under Regulation 4 of the IT Rules, 2011[10], MobiKwik is required to provide every registered user of MobiKwik with a readable copy of the information that it keeps about the user.




The hacker has said that he has deleted all the data on humanitarian grounds and that the users were safe. RBI has however ordered them to conduct a forensic security audit.




This is not the first ever security breach to have taken place. Previously popular apps like Big Basket and Unacademy were subjected to such a breach as well. Since the alleged leaked data comprises a lot of extremely sensitive data of each user, it is a potential threat to other banks and applications as well. It is important that these companies update their privacy policies and the users also have a proper understanding of the same. These privacy policies provide for all the information stored by the application and the extent of their liability, in case of a data breach and the safety mechanisms taken by the company to protect data. It is extremely important for the users to read these policies as these applications, at the end of the day monetize your personal data. It reveals how a company collects and processes your data and what it uses it for and can be cited by a user in the court in case of any breach of privacy. Alternatively, Mobikwik users can also check if their accounts were leaked by using an open website called Tor Browser.




[1]Anonymous, Data of 10 crore Mobikwik users for sale on dark web, say cybersecurity experts, THE ECONOMIC TIMES (April 1st, 2021, 5:30 pm) sale/articleshow/81756544.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst

[2]Manas Tiwari, Mobikwik user data has leaked, here is what happened and this is what you should do next, INDIA TODAY (April 1st, 2021, 5:30 pm)

[3] Anonymous, MobiKwik data leak: What we know so far , CNBC TV (April 1st, 2021, 5:30 pm)

[4] Debasish Sarkar, A Hacker, 10 Crore Mobikwik Users, over 1 month: Timeline of the Largest KYC Data Breach, GADGETS NOW, (April 1st, 2021, 5:30 pm)




[8] Anonymous, Hackers allegedly leak data of 9.9 crore Mobikwik users in India, company rejects claim, FIRST POST, (April 1st, 2021, 5:30 pm)

[9] § 43A, Information Technology  Act, 2000

[10] Regulation 4, Information Technology (Reasonable Security and Procedures and Sensitive Personal Data or Information) Rules, 2011

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *