What Happened

In 2024, MobiKwik, one of India's largest digital wallet and payment platforms, suffered a catastrophic data breach that exposed sensitive information of over 10 million users. The incident revealed a stark reality: even well-funded Indian fintech companies were not adequately protecting customer data.

The breach compromised personally identifiable information (PII), including names, phone numbers, email addresses, and in some cases, Aadhaar numbers and banking details. What made this incident particularly damning was not just the scale of the breach, but the timeline—security researchers discovered the exposed data on the dark web weeks before MobiKwik publicly acknowledged the incident. The company's delayed response violated the CERT-In 6-hour disclosure mandate and set off alarm bells across India's regulatory ecosystem.

Originally reported by Inc42, the incident coincided with a period of significant investor scrutiny on Indian fintech platforms. Domestic alternative investment funds (AIFs) that had backed MobiKwik began reassessing their positions, with some halving their ownership stakes in the March quarter of FY26. The market's loss of confidence wasn't just about financial performance—it was about trust. And trust, in fintech, is everything.

Why This Matters for Indian Businesses

If you run a small or medium business in India—especially if you handle customer data, payments, or personal information—MobiKwik's breach should keep you awake at night. Here's why:

Regulatory Exposure: The Digital Personal Data Protection (DPDP) Act, 2023 now mandates that every business handling personal data must implement reasonable security measures. Failure to do so can result in fines up to ₹5 crore or imprisonment. MobiKwik's breach would have triggered DPDP compliance investigations if the law had been fully enforced at the time.

CERT-In's 6-Hour Rule: The Indian Computer Emergency Response Team (CERT-In) requires all entities to report data breaches within 6 hours of detection. MobiKwik's delayed disclosure exposed the company to regulatory action and public backlash. For your SMB, this means you need real-time breach detection capabilities—not quarterly security audits.

RBI Oversight: If your business touches payments or financial data, the Reserve Bank of India (RBI) expects compliance with its cybersecurity framework. The RBI has been increasingly stringent with fintech platforms, and MobiKwik's incident accelerated this trend. Your SMB may not be a fintech, but if you process payments or store banking details, RBI scrutiny is coming.

Dark Web Exposure: MobiKwik's data appeared on dark web marketplaces before the company even knew it was breached. This is the modern reality: your stolen data has a resale value. Without dark web monitoring, you won't know your credentials are being sold until a customer reports fraud.

Technical Breakdown: How MobiKwik Was Compromised

While MobiKwik never publicly disclosed the exact attack vector, security researchers and incident reports pointed to several critical failures:

graph TD
    A[Unpatched Web App / API Endpoint] -->|SQL Injection or RCE| B[Database Access Gained]
    B -->|No Data Encryption| C[Sensitive Data Readable]
    C -->|Insufficient Access Controls| D[Mass Data Extraction]
    D -->|No WAF / IDS Detection| E[Exfiltration Undetected]
    E -->|No Dark Web Monitoring| F[Data Sold on Dark Web]
    F -->|Delayed CERT-In Notification| G[Regulatory Violation]
    G -->|Investor Loss of Confidence| H[Stock Decline & AIF Exits]
:::

**Attack Vector 1: Unpatched Vulnerabilities**
MobiKwik likely exposed an unpatched API endpoint or web application vulnerability. In my years building enterprise systems, I've seen this pattern countless times—companies deploy code to production, security teams don't have real-time visibility, and attackers find the gap before patches are applied.

**Attack Vector 2: Insufficient Data Encryption**
Even if attackers gained database access, properly encrypted data would have been useless. MobiKwik's failure to encrypt sensitive fields (like Aadhaar numbers) at rest meant attackers could read the data directly.

**Attack Vector 3: No Web Application Firewall (WAF)**
A modern WAF would have blocked SQL injection or API abuse attempts. MobiKwik's infrastructure apparently lacked this basic layer.

**Attack Vector 4: Inadequate Access Controls**
Once inside, attackers had unrestricted access to customer databases. Proper role-based access control (RBAC) and database segmentation would have limited the blast radius.

Here's what a basic **API vulnerability assessment** looks like:

Check for common API vulnerabilities using curl

Test for missing authentication on sensitive endpoints

If this returns user data without authentication, you have a critical issue

Test for SQL injection in query parameters

Check for exposed API keys in response headers

Test for rate limiting bypass (brute force vulnerability)

> [!SECURITY]
> If you're running APIs without a Web Application Firewall (WAF), you're inviting attackers to probe your endpoints. Even a ₹10,000/month WAF solution can block 90% of common attacks.

## How to Protect Your Business

After MobiKwik's breach, I reviewed dozens of Indian SMB security postures. Most had the same vulnerabilities that likely enabled the MobiKwik attack. Here's a practical defense matrix:

| Protection Layer | Action | Difficulty | Cost |
|:---|:---|:---:|:---:|
| **Vulnerability Scanning** | Run automated VAPT scans quarterly (or monthly if handling payments) | Easy | ₹5,000–₹15,000/scan |
| **Web Application Firewall** | Deploy ModSecurity or AWS WAF in front of all public APIs | Medium | ₹500–₹5,000/month |
| **Data Encryption at Rest** | Enable AES-256 encryption for all sensitive database fields | Medium | Included in cloud platforms |
| **Access Control** | Implement role-based access control (RBAC) and principle of least privilege | Medium | ₹20,000–₹50,000 setup |
| **Real-Time Monitoring** | Deploy IDS/IPS to detect exfiltration attempts | Hard | ₹10,000–₹30,000/month |
| **Dark Web Monitoring** | Monitor dark web for your company domain and employee credentials | Easy | ₹5,000–₹20,000/month |
| **CERT-In Readiness** | Establish incident response playbook with 6-hour notification protocol | Easy | ₹30,000–₹100,000 (one-time) |
| **DPDP Compliance** | Data protection impact assessment and privacy policy alignment | Medium | ₹50,000–₹200,000 |

### Quick Fix: Enable Database Encryption

If you're running PostgreSQL or MySQL, here's how to encrypt sensitive columns right now:

-- Encrypt the aadhaar column ALTER TABLE users ADD COLUMN aadhaar_encrypted bytea;

UPDATE users SET aadhaar_encrypted = pgp_sym_encrypt(aadhaar, 'your-secret-key') WHERE aadhaar IS NOT NULL;

-- Drop the unencrypted column ALTER TABLE users DROP COLUMN aadhaar;

-- Rename the encrypted column ALTER TABLE users RENAME COLUMN aadhaar_encrypted TO aadhaar;

-- Verify encryption works SELECT pgp_sym_decrypt(aadhaar, 'your-secret-key')::text FROM users LIMIT 1;

For AWS users, enable **RDS encryption at rest**:

Modify RDS instance to enable encryption

How Bachao.AI Detects This

When I founded Bachao.AI, MobiKwik's breach was a wake-up call. I realized that Indian SMBs had no affordable way to detect these vulnerabilities before attackers did. Here's how our platform would have prevented MobiKwik's breach:

This is exactly why I built Bachao.AI—to make enterprise-grade security accessible to SMBs at a fraction of Fortune 500 costs. A breach like MobiKwik's would cost your business ₹50+ crore in fines, remediation, and lost customer trust. Our annual security investment is a rounding error compared to that risk.

What Indian Businesses Should Do Now

Immediate (This Week)

1. Audit your data inventory: What personal data are you storing? Where? Is it encrypted?
2. Check your CERT-In readiness: Do you have a 6-hour incident notification protocol?
3. Run a free VAPT scan to identify critical vulnerabilities.

1. Enable encryption for sensitive data fields (Aadhaar, PAN, banking details).
2. Deploy a Web Application Firewall in front of all public APIs.
3. Subscribe to dark web monitoring for your domain and employee emails.
4. Assess DPDP Act compliance.

1. Implement role-based access control and principle of least privilege.
2. Establish a formal incident response plan with CERT-In notification procedures.
3. Schedule quarterly VAPT scans and annual penetration testing.
4. Conduct security awareness training for your team (phishing simulation is a good start).

The Bottom Line

MobiKwik's breach wasn't a one-off incident—it was a symptom of a systemic problem in Indian fintech and SMB security. Too many businesses prioritize feature velocity over security hardening. Too many assume "it won't happen to us." And too many lack the budget or expertise to implement enterprise-grade protections.

But the cost of inaction is now clear: regulatory fines, investor loss of confidence, and customer churn. The cost of action—a quarterly VAPT scan, a WAF, and dark web monitoring—is a fraction of that.

If MobiKwik's breach taught us anything, it's this: security is not a cost center, it's a business enabler. Companies that protect their customers' data build trust. Companies that build trust attract investors, retain customers, and scale faster.

Your move.

Book Your Free Security Scan Today → Schedule a VAPT Assessment

Our security experts will identify your top 5 vulnerabilities and provide a remediation roadmap—all at no cost.

Written by Shouvik Mukherjee, Founder of Bachao.AI. I spent a decade building security systems for Fortune 500 companies before founding Bachao.AI to democratize cybersecurity for Indian SMBs. Follow me on LinkedIn for daily insights on securing Indian businesses against emerging threats.

Originally reported by Inc42

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.