Bangalore start-up Juspay has issued a statement saying that about 3.5 crore records with masked card data and card fingerprint were breached in a cyber attack suffered by them in August 2020. According to the company, this falls under the category on non-sensitive information.
The statement by the company also says that a part of user metadata in their system “which has non-anonymised, plain-text email IDs and phone numbers got compromised.”
All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information.Statement from Juspay
Earlier, media reports had said that personal details such as email ids, full names, phone numbers, and debit and credit card details of over a 10 crore users of Juspay had been breached by a hacker who posted the data for sale on the dark web, which the company has denied, terming them “grossly inaccurate”.
The Bangalore start-up processes transactions from Amazon, MakeMyTrip, Swiggy, Uber, Airtel, Vodafone Idea and other well-used applications in India and had announced the data breach in August of 2020.
Juspay confirmed the breach in a statement admitting a compromise in one of its servers. The breach happened in a data dump which would allow for more online phishing scams. The data dump was discovered in the first week of January by cybersecurity researcher, Rajshekhar Rajaharia, reported NDTV.
He apparently discovered it was done by a hacker who was trying to approach buyers on Telegram in exchange for Bitcoin payments, reported NDTV. Rajaharia told Business Insider that the seller demanded $8,000 in Bitcoin to purchase the data.
The data leak could make card holders prone to phishing scam where users may be conned into revealing private information like OTPs or PINs, said Rajaharia to Business Insider.
(This story has been updated to reflect a statement from Juspay)
(With inputs from Business Insider and NDTV Gadgets)