Personal details such as email IDs, full names, phone numbers, and debit and credit card details of over a 100 million users of Juspay has been breached by a hacker who posted the data for sale on the dark web, discovered a cyber-researcher last week.
The Bangalore-based start-up processes over 4 million transactions worth Rs 1000 crore every day across e-commerce platforms such as Amazon, Swiggy, Ola and others. The data dump was discovered in the first week of January by cybersecurity researcher, Rajshekhar Rajaharia.
In other words, if an individual has made online payments on any one of these platforms, the processing has been done by Juspay and there is a likelihood that one’s card details could have been breached.
Juspay acknowledged the breached to have occured on 18 August, 2020, and in an official blog insisted all the customer data including card PINs are “secure”.
According to the company, “All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information.”
How Was The Breach Discovered?
According to Rajaharia, he came across this data on the dark web a few days ago in exchange for Bitcoin. Rajaharia told Business Insider that the seller demanded $8,000 in Bitcoin to purchase the data.
The data leak could make card holders prone to phishing scam where users may be conned into revealing private information like OTPs or PINs, said Rajaharia to Business Insider.
What is the Impact?
According to Juspay, about 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached. “The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction,” the company said.
Rajaharia, however, says that the number of those impacted is higher – around 4.5 crore individuals. According to him, based on information from the dark web seller, there were 10 crore emails ID and phone numbers and 4.5 crore card details.
“On 3 January, I came across a seller on the dark web selling two files of data, one with email addresses and mobile numbers of 100 million customers, while the other had stored card data of 46 million transaction details," a CNBC report stated.
What Does Juspay Have to Say About The Breach?
According to the payments processing company, the breach was “restricted to an isolated incident” and media reports “seem to be sensationalising the incident.”
Downplaying the incident, the company stated, “the breach was restricted to an isolated system containing non-sensitive masked card primarily used for display purposes on merchant UI and cannot be used for completing a transaction.”
Juspay said on 18 August 2020 that the company “noticed an unauthorised activity in one of our data stores” and that they were able to stop the intrusion.
“Over the next few days, a thorough analysis of the audit trails was undertaken to assess the impact of the cyberattack,” the company said.
How Serious Was The Breach?
Tobby Simon, founder and president of Synergia Foundation, hit out at Juspay for not disclosing the breach to customers immediately, and called the company ‘highly irresponsible.”
“It is highly irresponsible of the company to say that consumers are not at risk. Some of the biggest online frauds have happened around e-commerce companies,” he said according to the CNBC report.
Rajaharia has also dismissed the company's claims that since only non-sensitive data was compromised, there is no risk to customers. Rajaharia says the potential risk of such a breach is high, especially because card fingerprint data has been breached, and if a hacker can get access to the encrypted algorithm, it would lead to all the card data being exposed.
“The company masks the middle six-digit but also stores the fingerprint of the card number, which is a hash value of the card number. If the hacker can figure out the algorithm for the card fingerprint, they can easily unmask all digits,” Rajaharia said.
Has My Card Number and PIN Been Compromised?
Juspay has asked people to reach out to the company at email@example.com for any queries that customers may have.
The company has received flak from the information security community for not being upfront in informing customers of the data breach.
Swiggy said 'no usable banking information such as the 16 digit card number of our customers was compromised in this incident,' CNBC reported.
What Has The Company Done About This?
According the Juspay, it has taken a host of steps that include the following:
- We worked with our merchant partners to refresh API keys and invalidate the old keys. Subsequently, the old keys were verified to be safe.
- Enforced 2-factor authentication for all tools in the company.
- Moved away from access key-based automation.
- Recycled all older credentials in our systems and set tight key rotation policies.
- Further tightened various internal systems access control protocols, limiting resource access.
- We are engaged with threat intelligence experts and have invested in enhanced threat monitoring tools.
“We did identify some gaps as we learnt more from our recent experience and have taken several measures involving policy changes and further investment in cyber threat mitigation tools,” the company stated.