A Popular Vendor in the Fintech Space Faces a Security Breach
Signzy, a leading provider of online ‘know your customer’ (KYC) ID verification and customer onboarding services to several top financial institutions, commercial banks, and fintech companies, has confirmed a security incident. According to sources speaking with TechCrunch, the Bengaluru-based startup was hit by a cyberattack last week.
Background Information
Signzy enables onboarding for 10 million customers and businesses monthly. Founded in 2015, the startup has offices in New York, Dubai, Bengaluru, Gurugram, and Mumbai, serving over 600 financial institutions globally, including the four largest Indian banks: ICICI Bank, SBI, Mswipe, and Aditya Birla Financial Services.
The Security Incident
On Saturday, Signzy told TechCrunch that it was aware of the security incident but declined to elaborate. India’s computer emergency response team (CERT-In) separately acknowledged to TechCrunch that it was aware of the incident and was in the process of taking appropriate action with the concerned authority.
Sources Reveal Details
TechCrunch learned about the security incident from sources, including two Signzy clients, who were concerned about the alleged customer data that briefly appeared on a cybercrime forum post. PayU, another Signzy customer, stated that Signzy was hit by an ‘information stealer malware’ and asserted that it had no exposure to the incident.
Customers Affected
PayU spokesperson Dimple Mehta told TechCrunch: "There is no impact on PayU customers or their data due to Signzy’s information stealer malware. We have received written confirmation from the vendor that PayU and its customers’ data have not been compromised and remain secure with the best security standards in place."
Other customers, including ICICI Bank, stated that they were unaffected.
Signzy’s Response
In a statement to TechCrunch, Signzy declined to comment on whether customer data had been exfiltrated. Debdoot Majumder, a spokesperson representing Signzy, said the company had hired a ‘professional agency for conducting the security incident investigation.’
The startup, backed by investors including Mastercard, Vertex Ventures, Kalaari Capital, and Gaja Capital, stated that it had informed its clients, regulators, and stakeholders about the security incident.
Lack of Communication with Regulators
When asked if the firm had engaged with the Reserve Bank of India (RBI), the country’s central bank, Signzy said it had no communication. The RBI did not respond to a request for comment.
Conclusion
The recent security incident at Signzy raises concerns about the security and data protection practices of fintech companies. As the industry continues to grow, so does the risk of cyberattacks. Companies must prioritize security measures and maintain open communication with regulators and stakeholders in case of incidents.
Related Topics
- Cybersecurity: A critical concern for financial institutions and fintech companies.
- Exclusive: TechCrunch’s exclusive reporting on the Signzy security incident highlights the need for transparency in the industry.
- India: The country’s central bank, RBI, has not commented on the incident, sparking concerns about regulatory response.
Follow-up Coverage
Stay tuned for further updates on this developing story. Sign up for TechCrunch’s daily newsletter to receive the latest news and analysis on the intersection of technology and business.
Sources
Recommended Reading
- "Cybersecurity threats to financial institutions: A growing concern" by TechCrunch
- "The importance of transparency in fintech security incidents" by TechCrunch
Update: This article has been updated with additional information and sources.