On March 30, DataBreaches.net posted an update to a controversial data breach that MobiKwik denies (previous coverage can be found here). The controversy subsequently escalated on Twitter when people started complaining that they had found their data in the leaked database and that it corresponded to what they had on file with MobiKwik. In addition to the shock and concern consumers felt about their data being available on the internet, there was anger at MobiKwik for denying responsiblity and for trying to threaten and smear the researcher who had notified them and then pursued responsible disclosure.
In what made denial seem like an extreme sport, MobiKwik even went so far as to suggest that their customers may have uploaded all their information to multiple platforms.
The researcher, Rajshekhar Rajaharia, provides a more detailed timeline of the controversy on Medium. For his efforts to protect consumers, Rajaharia has been defamed as “media-crazed,” threatened with litigation, and censored by LinkedIn and Twitter based on complaints by MobiKwik.
And now DataBreaches.net has been targeted because on March 30, I posted Mobikwik offers master class in how NOT to respond to a breach; researchers scoff, consumers rage.
Today, I received an email from this site’s web host. They were forwarding a complaint submitted to CloudFlare from “anonymous,” and they asked me to look at it. So I did.
Before I show you what “anonymous” wrote, let me remind everyone what it says on this site’s About page:
This site is a combination of news aggregation, investigative reporting, and commentary. You may disagree with my reporting or be offended by my opinions. If you think I’ve erred in my reporting, email and let me know what you think I got wrong. If you don’t like my commentary on a situation or on your handling of an incident, you’re free to send a statement for me to consider posting.
If you want to send me legal threats about my reporting or comments, knock yourself out, but don’t be surprised to see me report on your threat, any confidentiality sig blocks you may attach notwithstanding. I have been threatened with lawsuits many times, and to be blunt: there is NOTHING you can threaten me with that will scare me even 1/10th as much as the day both my kids got their driver’s licenses within 15 minutes of each other.
Even though I had tweeted to MobiKwik on March 4 to question their claim, they never responded. And even after I emailed MobiKwik to tell them that I didn’t find their denial credible, they never responded. They never reached out to this site after the one boilerplate denial. But today, “Anonymous” complained.
You may want to look at the post “Anonymous” is complaining about so you can evaluate how accurate — or inaccurate– their claims are:
Reporter: Anonymous
Reported URLs:
https://www.databreaches.net/mobikwik-offers-master-class-in-how-not-to-respond-to-a-breach-researchers-scoff-consumers-rage/
Logs or Evidence of Abuse: The Blogger Dissent at Databreaches.net is Linking hacked/leaked personal information from Raid Forums on her blog. The sole reason for linking personal information is on the intent to maliciously shame a company so they can admit to being hacked.This is not right for this blog to link personal information just to manipulate, harass and Shame.
This was the main part of my response to my web host:
I reviewed the post that “anonymous” found objectionable. Their complaint is almost entirely unfounded:
1. There was and is absolutely NO link to RaidForums.com in the post the “anonymous” complainant links to. The forum is mentioned but there is no data on RaidForums linked to at all.
2. There is not even one iota of personal information reproduced or leaked in the post. In fact, the post heavily redacted images to prevent anything from being revealed. That said:
3. I have removed a link to a now defunct portal that allowed consumers to find out what data the company held on them that had been hacked and leaked. Since the company claimed — and claims — that the data were not real data and were not their data anyway, I’m hard-pressed to understand how they can now claim I am leaking their firm’s customers’ personal data, but I have removed the link anyway.But that link to a portal is all that I am willing to remove as there’s no personal info leaked or linked to in the remaining post.
They just don’t want to be embarrassed by criticism so they try to chill protected speech.
[…]
Now here’s my response to “Anonymous:”
You may have been able to censor Rajaharia on LinkedIn and Twitter, and you will probably keep trying to censor me, but I’d encourage you to learn about the Streisand Effect, and take this caution seriously: I don’t tolerate bullies or people who try to chill protected speech. I *will* fight back. And if I want to characterize your incident response to date as an EPIC FAIL, yes, I can do that, too.
Oh look, I just did.