MobiKwik, which is backed by Sequoia Capital and India’s Bajaj Finance, has faced growing criticism this week for denying a leak many customers and digital rights activists say is linked to the company’s database.
The Reserve Bank of India (RBI) was “not happy” with the company’s initial response and has asked it to act immediately, said the source, who declined to be named as the discussion between the RBI and the company was private.
The payments firm has also faced backlash for threatening legal action against a security researcher who first flagged the breach.
Several users said this week they had found information such as their credit card details on a leaked online database that allegedly belonged to MobiKwik, a claim the company has denied.
“The RBI has given MobiKwik an ultimatum and ordered them to retain an external auditor to conduct a forensic audit,” said the person, adding the RBI could also impose fines if the breach is proven.
The RBI did not respond to a request for comment.
The central bank has the power to fine a payment systems provider a minimum of 500,000 rupees ($6,811) in such cases.
MobiKwik did not respond to a request for comment and messages sent to its founders went unanswered.
It has previously said users could have uploaded their data on several platforms and it was incorrect to say the leaked information was accessed from the payments company, adding it takes privacy and security very seriously.
With 120 million users, MobiKwik competes in India with firms like Alibaba-backed Paytm and Google’s payments service, which have witnessed a rapid surge in usage. But data breaches and leaks have also become common in the country.
On Wednesday, New Delhi-based digital rights group the Internet Freedom Foundation (IFF) asked India’s country’s cyber security agency to probe the alleged data breach. The federal agency did not respond to Reuters queries.
Reporting by Sankalp Phartiyal in New Delhi and Euan Rocha in Mumbai; Editing by Aditya Kalra, John Stonestreet and Bernadette Baum