MobiKwik, Cybersecurity and a Tradition of Going After the Messenger 

It is easier for companies to question the motives of security researchers, than actually spend time and money in improving their security.

India’s latest privacy controversy is growing particularly gnarly by the day, even by the standards of past incidents in the country. 

Well-known fintech start-up MobiKwik is currently locking horns with security researchers and its customers over claims of a potentially massive data leak. Reports over the last month have indicated that the data of millions of customers was up for sale on the dark web. The company has denied this, saying it has investigated and found nothing wrong. Its denials have been independently countered by others, who say there is evidence to provide credibility to the allegations.

In India, the lack of action from private companies and regulators like the Indian Computer Emergency Response Team (CERT-In) forces security researchers to go public, often becoming a target themselves in the process. This is what is happening with Rajshekhar Rajaharia, the security researcher who initially alerted MobiKwik about a potential data breach. 

Rajaharia first reached out to MobiKwik in the last week of February and responsibly disclosed the issue by pointing out how a malicious actor was trying to sell data over the dark web. 

MobiKwik not only issued swift denials, it also implicitly threatened Rajaharia with legal action. MobiKwik’s official Twitter account issued a statement as early as March 4 claiming their legal team will be going after a “media-crazed” security researcher as he is maligning their brand. 

With no special protections, cybersecurity researchers often face legal threats accusing them of unauthorised access and defamation. 

After the hackers who apparently breached MobiKwik presented more evidence by allowing anyone to search their data, Rajaharia shared details over a tweet of his interactions with the MobiKwik team and how they ignored his alerts.

Since then, multiple researchers, experts and customers have independently pointed out why there may be genuine cause for concern. MobiKwik however continues to maintain that there has been no breach and instead appears to have blamed users for their data ending up on the dark web. 

Over the last week, MobiKwik also appears to have issued legal notices to Twitter to pull down Rajaharia’s tweets. Twitter temporarily made his tweets inaccessible and locked him out of his account; restoring it later only after he deleted the offending tweets. 

Email from Twitter Legal confirming the legal notices received by MobiKwik.

MobiKwik’s legal team also appears to have gone after Rajaharia on every other platform where he published details of the incident. For instance, his post on LinkedIn was also blocked after a notice was issued claiming infringement of intellectual property. 

This trend adopted by Indian companies to silence anyone speaking against their organisation by using obscure legal allegations is a problem that stifles free speech and pulls a curtain down on accountability. By locking Rajshekar out of his accounts, and threatening to go after him legally, it is clear that a disservice has been done on an issue that potentially affects the privacy of millions. 

Why work so hard to silence reportage and discussion of an incident of interest to millions of users? Why not instead provide as much clarity as you can? This tradition of ignoring security alerts and blaming whistleblowers for bringing the issue to the attention of the larger public is common among Indian companies. The premier champion of this policy is the Indian government itself, which has a habit of ignoring every alert pointed to them and goes after researchers for pointing out cybersecurity issues.

In the past few days, both the Reserve Bank of India and CERT-In have woken up to the MobiKwik issue, with the former ordering a forensic audit

The larger issue

While we await the results of this audit, the larger issue of openly talking about potential security issues remains. It is easier for companies to blame security researchers than actually invest in security. With no economic costs associated with breach of data, companies ignore it. Even with a fundamental right to privacy, without any regulatory interest to act, citizens’ concerns are being ignored for the economic interests of private companies. 

One of the reasons a lot of security reports from India are released publicly through the Twitter account of French researcher Robert Baptise (Elliot Alderson) is because Indian researchers are afraid of retaliation from the private sector and government. Responsibly disclosing cybersecurity incidents in India is near impossible without the risks of legal actions when it involves big corporations or the government. 

A key part of the data protection law debates in India is whether protections should be given to researchers who point out genuine concerns related to cybersecurity. This issue was presented on multiple occasions to the Srikrishna committee and has been ignored by them. 

The draft data protection law proposed by the committee proposes penalties for anyone even attempting to de-identify data, even when they are responsibly reported to authorities. 

A key part of the data protection law debates in India is whether protections should be given to researchers who point out genuine concerns related to cybersecurity. Photo: Reuters

Security researchers across the world have been trying to improve and work with authorities to point out the need for responsible security disclosure programmes. It has been long established that security through obscurity does not help anyone and actually harms everyone as it ignores the vulnerabilities at large only to be exploited in future. Large companies understand the importance of these exercises and are already working with researchers by promoting these activities. 

Countries which understood the importance of security disclosure tried to include them in the law by giving protections to researchers doing responsible disclosure under a time limit. In the case of the UK draft data protection Bill in 2018, amendments were proposed to protect security researchers if they conduct research in public interest and report their findings in no less than 72 hours. In India, there is no discussion at all in this direction. This criminalisation of security researchers helps no one and indeed makes us more vulnerable. 

Srinivas Kodali is a researcher with Free Software Movement of India