MUMBAI — Indian tech startups, including one of India’s leading fintech startups, Mobikwik, and business-to-business platform Bizongo, have come under fire due to recurring data breaches over the last few weeks, prompting calls for tighter data security laws and more investment in cybersecurity.
Last week, Bizongo reported a hack that exposed 2.5 million customer files, while hackers also breached security systems at stock brokerage Upstox and stole data on 2.5 million customers.
“Bizongo left customer data sitting unsecured on their misconfigured Amazon Web Services,” according to a post on Website Planet, a web development company. “For a period of time, the names, addresses, numbers and financial details of buyers and sellers were accessible to potentially harmful third parties.”
Mobikwik has also been hit by hackers. Just last month, it was revealed that a massive amount of data on 3.5 million Mobikwik consumers was up for sale on the internet, shocking the country due to the sensitive nature of the information that users park in fintech apps.
The payment processing and digital credit startup is planning to hit India’s primary market late this year, betting on the success of its digital credit business, even as it faces stiff competition in the payments space from homegrown companies, as well as global stalwarts such Paytm, Google, and Amazon India. It is unclear at this point whether the data breach will have a significant impact on Mobikwik’s growth.
After vehemently denying reports of an earlier breach, Sequoia-backed Mobikwik issued the following statement on Mar. 31: “The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations, will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all Mobikwik accounts and balances are completely safe.”
Of the recent data breaches, the incident at Mobikwik was seen as especially worrying given the sensitive nature of the information that consumers park with fintech platforms, including credit card and bank details.
The situation prompted the Reserve Bank of India to tighten standards for payments companies, according to a report by the Economic Times newspaper. The central bank asked companies to submit “compliance certificates” every six months, starting April 1. This requirement is over and above the board-certified audit report and a one-time compliance report on data localization that payment companies need to submit.
In March, Minister of State for Electronics and IT Sanjay Dhotre informed Parliament that over 26,100 Indian websites were hacked in 2020, including 54 departmental websites and 59 state government websites. N. Chandramouli, CEO of TRA Research, stressed the seriousness of the breach: “Fintech carries much more potential for damage. All these [hacks] are done by ransomware people … so the amount of damage done to fintech companies is much higher because trust is lost.”
Chandramouli added that data breaches are inevitable and that nothing is really 100% secure, but that data companies need the latest technology to lessen such occurrences.
“Indian startups run a huge risk of data breaches given gaps in technology infrastructure and evolving practices of cyber laws,” said Vikram Guptaat IvyCap Ventures. “Startups focused on large consumer bases run the risk of losing trust from their customers if they don’t take proactive measures to prevent this. Laws need to be strengthened further to punish those that commit these crimes. This is an opportunity for startups focused on cybersecurity.”
Experts also feel there is a need to enact laws that would compensate the consumer for data breaches, as it would penalize hackers. India’s cyberlaw is currently guided by the Information Technology Act, 2000, which does not seem to be enough for regulating cybersecurity.
Another law — The Personal Data Protection Bill, 2019 — is currently pending approval in parliament. The new bill is modeled after the European Union’s General Data Protection Regulations. Among other things, the bill makes it mandatory for companies to inform users before collecting or using personal data.