Indian online identity verification company Signzy confirms security incident

Signzy, a well-liked provider offering know-your-customer online identity verification and customer onboarding services to several leading financial institutions, industrial banks and fintech corporations, has confirmed a security incident that TechCrunch can exclusively report.

According to sources who spoke to TechCrunch, the Bengaluru-based startup that serves over 600 financial institutions all over the world, including 4 of India’s largest banks, was hit by a cyberattack last week. On Saturday, Signzy told TechCrunch it was aware of the security incident but declined to supply details.

India’s Computer Emergency Response Team, often called CERT-In, individually admitted to TechCrunch that it was aware of the incident and “is in the process of taking appropriate action with the appropriate authority.”

Founded in 2015, Signzy enables latest customer and business onboarding for 10 million customers per 30 days. The startup, which has offices in New York and Dubai – other than India offices in Bengaluru, Gurugram and Mumbai – counts several large corporations as its key clients, including ICICI Bank, SBI, MSwipe and Aditya Birla Financial Services.

TechCrunch learned of the security incident from sources, including two Signzy customers who were concerned about purported customer data that briefly appeared in a post on a cybercrime forum that TechCrunch saw.

PayU, one other Signzy customer, said Signzy was attacked by “information-stealing malware” and warranted it had no contact with the incident.

“The Signzy information-stealing malware has no impact on PayU customers or their data. We have received written confirmation from the supplier that the data of PayU and its customers has not been compromised and is safe thanks to the best security standards,” PayU spokesperson Dimple Mehta told TechCrunch.

Other customers said it had no effect. When asked by TechCrunch, ICICI Bank said it had no contact with the incident.

In an announcement to TechCrunch, Signzy declined to comment on whether customer data had been extracted. Debdoot Majumder, a spokesman for Signza, said the company had hired a “professional agency to conduct an investigation into the security incident.”

The startup, backed by investors including Mastercard, Vertex Ventures, Kalaari Capital and Gaja Capital, said it had informed its customers, regulators and stakeholders in regards to the security incident.

Asked if the company was working with the Reserve Bank of India, the country’s central bank, Signzy said it was not in touch. The central bank didn’t reply to a request for comment.