It is every brand’s worst nightmare and Mobikwik, a payments company, is in the middle of it right now.
On 26 February 2021, security researcher Rajshekhar Rajaharia exposed a massive data leak at the company via this tweet . The scale of the breach was staggering. Know-Your-Customer (KYC) information, unmasked card numbers and other personal details like PAN and Aadhar numbers for 11 crore Indians were freely available on the Internet.
As the storm gathered momentum, more people started discovering that their details were part of the exposed dump.
Mobikwik rushed to issue a statement via its Twitter handle, choosing to deny the breach all together.
This provoked an even stronger backlash online, with the negative sentiment around Mobikwik growing steadily.
At the time of going to press, Mobikwik co-founders Upasana Taku and Bipin Preet Singh had not issued any other statements.
Where’s the Communication Plan?
There is enough research to show the negative impact of a data breach on reputation. This study by Centrify, for example, showed that 65% of victims lost trust in an organisation after a data breach.
Most companies have a response plan ready to mitigate damage to the brand from incidents like this. Here’s an example from a blog post by MyHeritage, the genealogy research firm, which went live the same day that the company received notice of a breach in 2018.
Regardless of whether the breach is real or not, the backlash is, which means Mobikwik needs to swing into proactive mode. Their response so far would seem to indicate that the company does not have an established communication protocol in place. This is surprising on two counts: Firstly, data breaches have become frighteningly frequent and one would assume a Fintech company like Mobikwik is prepared for them. Secondly, the company is said to be preparing for an IPO, which would indicate that they have invested in a mature Public Relations team.
What Should Mobikwik Have Done?
There should be only one communication objective in the mind of the Mobikwik team right now: Win back customer trust. The first step to winning back trust is to provide timely and relevant information. This includes a point person, customer hotlines as well as a frequently updated website and social handles.
Amith Prabhu is a reputation engineer based in Gurgaon and he has this to say.
“The least an organisation should do when there is a data security breach, is follow the tried and tested approach of Acknowledge and Apologise. These were never options and are even more critical in today’s digitised world. A company leader should be in the forefront of facing key stakeholders – namely investors, employees and customers to address the issue and indicate steps being taken to fix the problem.”Amith Prabhu, Reputation engineer
In a print-only world, the goal of communication after an adverse incident was to control what appeared in media. Companies need to understand this is pointless in a digital world.
Australian security researcher, Troy Hunt, said “Try Googling Mobikwik data breach now.“ Even a Google search for ‘Mobikwik’ shows a page dominated by the news of the breach. Mobikwik’s ill-advised tweet has only fuelled this surge of content, making the task ahead of it harder.
Update: Mobikwik co-founder Bipin Preet Singh tweeted a pre-formatted note, saying that there was no data breach and it was possible that some users had uploaded data themselves.