MobiKwik's 8.2TB Breach and the DPDP Act's 72-Hour Clock
In 2021, 8.2 terabytes of MobiKwik user KYC data surfaced on the dark web. The company saw "no evidence of any data breach". Under DPDP Rule 7, that response is the scarier part of the story.
In March 2021, 8.2 terabytes of MobiKwik user data showed up on the dark web. KYC documents. Aadhaar cards. PAN cards. Bank statements. For an estimated 100 million users.
“We see absolutely no evidence of any data breach.”
That response is what this teardown is about, because under the DPDP Act it is the scarier part of the story.
When does the 72-hour clock start? (Rule 7)
Think about what that denial actually means. A cybersecurity researcher contacts you. Multiple journalists are reporting on verified datasets that include your users' Aadhaar numbers. And your public position is that you see no evidence. Either you investigated and found nothing, or you issued a denial before investigating.
DPDP Rule 7 says the 72-hour notification clock to the Data Protection Board starts when you become aware of a breach. Not when you confirm it. Not when you finish investigating. When you become aware. The moment a credible researcher contacts you, you are aware, and the clock is running.
So if the denial came before a proper investigation, the legal exposure is not just the breach. It is the documented public record of what the company did in the hours after it first heard about it.
Why KYC data sits at the top of the harm scale (§8, Rule 6)
This was not leaked emails. This was KYC: Aadhaar cards, PAN cards, and full bank statements. The document set you need to open a bank account, take a loan, or port a SIM in India. In the hands of a bad actor, 100 million of those records enable identity fraud at industrial scale.
Under §8 and Rule 6, safeguards must be proportionate to the severity of harm that exposure could cause. Financial identity documents sit at the top of that scale, and so does the security standard they demand.
The playbook every fintech needs before it needs it
Build your breach response playbook now, and make sure it contains one thing specifically: a clear internal definition of "aware". The Board will not accept "we were still investigating" as a reason to miss the 72-hour window, and a public denial with no documented investigation is the worst answer you can give them.
Privacy Labs ships a six-stage breach workflow with pre-drafted DPB and Data Principal notifications. If you handle KYC or transaction data, also see our fintech retention breakdown for how RBI and PMLA floors interact with DPDP. Start with the free Compliance Score below to see whether your current policy even maps to the 72-hour clock.
Frequently asked questions
When does the DPDP 72-hour breach clock start?
Under Rule 7, the clock starts when the Data Fiduciary becomes aware of the breach, not when the breach is confirmed or the investigation concludes. Credible notice from a researcher or journalist can constitute awareness.
What was the MobiKwik data leak?
In March 2021, security researchers reported that roughly 8.2 terabytes of data attributed to MobiKwik users, including Aadhaar cards, PAN cards, and bank statements for an estimated 100 million users, was offered on a dark-web forum. MobiKwik denied evidence of a breach.
What should a DPDP breach response plan contain?
A written definition of "aware" that starts the clock, a named incident owner, a data classification that flags severity, pre-drafted notifications for the Data Protection Board and affected Data Principals, and a tested workflow that gets all of it done within 72 hours.