Indian online ID verification firm Signzy confirms security incident


Signzy, a popular vendor offering online “know your customer” ID verification and customer onboarding services to several top financial institutions, commercial banks, and fintech companies, has confirmed a security incident, TechCrunch can exclusively report.

The Bengaluru-based startup, which serves over 600 financial institutions globally — including the four largest Indian banks, was hit by a cyberattack last week, according to sources speaking with TechCrunch. On Saturday, Signzy told TechCrunch it was aware of the security incident but declined to elaborate.

India’s computer emergency response team, known as CERT-In, separately acknowledged TechCrunch that it was aware of the incident and “in process of taking appropriate action with the concerned authority.”

Founded in 2015, Signzy enables onboarding for 10 million customers and businesses monthly. The startup, which has offices in New York and Dubai — in addition to its India offices in Bengaluru, Gurugram, and Mumbai — counts several major companies among its key customers, including ICICI Bank, SBI, MSwipe, and Aditya Birla Financial Services.

TechCrunch learned about the security incident from sources, including two Signzy clients, who were concerned about the alleged customer data that briefly appeared on a cybercrime forum post, which TechCrunch has seen.

PayU, another Signzy customer, said that Signzy was hit by an “information stealer malware” and asserted that it had no exposure to the incident.

“There is no impact on PayU customers or their data due to Signzy’s information stealer malware. We have received written confirmation from the vendor that PayU and its customers’ data have not been compromised and remain secure with the best security standards in place,” PayU spokesperson Dimple Mehta told TechCrunch.

Other customers said they were unaffected. When asked by TechCrunch, ICICI Bank stated that it had no exposure to the incident.

In a statement to TechCrunch, Signzy declined to comment on whether customer data had been exfiltrated. Debdoot Majumder, a spokesperson representing Signzy, said the company had hired a “professional agency for conducting the security incident investigation.”

The startup, backed by investors including Mastercard, Vertex Ventures, Kalaari Capital, and Gaja Capital, said it had informed its clients, regulators and stakeholders about the security incident.

When asked if the firm had engaged with the Reserve Bank of India, the country’s central bank, Signzy said it had no communication. The central bank didn’t respond to a request for comment.


Leave a Comment