Juspay played down the massive data breach that affected millions of customers and said it did not expose any confidential customer information.
The Bengaluru-based company acknowledged the breach five months after an investigator found 100 million records sold on the dark web. Juspay claims that the media sensationalized the rape, exaggerating it.
The Indian payment processor handles more than four million daily transactions through Amazon, Swiggy, MakeMyTrip, Vodafone, Uber, Ola, and other e-commerce platforms.
Indian payment processor Juspay recognizes but downplays a massive data breach
Indian payment processor Juspay issued a statement saying that it was the victim of a cyberattack on one of its isolated storage systems on August 18, 2020. The company said the data breach occurred when “an old AWS access key was exploited. not recycled “. allowing unauthorized access and triggering an automatic system alert.
Juspay said it did not inform the public of the data breach because the victims were not at risk.
“Our priority was to inform merchants and, as an abundant precautionary measure, they were issued new API keys, although it was later verified that even the API keys in use were secure,” the company statement reads.
The Bengaluru-based payment processor acknowledged the data breach after an independent cybersecurity expert, Rajshekhar Rajaharia, disclosed the breach five months after it happened.
One hundred million customers were affected by the Juspay data breach
Juspay confirmed that 35 million records with masked card data and card fingerprints were breached. Similarly, unauthorized attackers accessed 100 million “non-anonymized” customer user metadata information containing email IDs and phone numbers in the August 2020 breach.
Rajaharia tweeted that the data included names, mobile phone numbers and bank names. And Inc42 reported that the leaked data contained 16 fields including “card brand (VISA / Mastercard), card expiration date, last four digits of card, masked card number, card type (credit / debit), the name on the card, the card’s fingerprint, the card’s ISIN, the customer ID, and the business account ID.
However, Juspay claimed that “these reports claiming that the data of 100 million cardholders was breached or that the ‘largest breach in India’ is extremely inaccurate.”
The payment processor also noted that the infringement was restricted to an isolated system that stores the card details masked for display on the merchant’s user interface. Consequently, the exposed details cannot be used to complete a transaction because the masked card details only show some credit card numbers.
The company clarified that the information did not contain any order or transaction information and that “all full card numbers, order information, card PIN or customer passwords are secure.”
Juspay data is traded on the dark web market
Rajaharia said that he came across the Juspay data dump selling $ 8,000 worth of bitcoins on the dark web marketplace.
“On January 3, I came across a seller on the dark web selling two data files, one with email addresses and mobile phone numbers of 100 million customers, while the other had stored card data from 45 millions of transaction details, “said the cybersecurity researcher. .
Rajaharia believes that the risks posed by the Juspay data breach were greater than what the payment processor had initially recognized. It notes that storing the card’s fingerprint along with the masked card number from which it was generated could potentially lead to the unmasking of the six hidden numbers.
“If the hacker can figure out the algorithm for the card’s fingerprint, he can easily unmask all the digits,” Rajaharia said.
Additionally, having customers’ emails and phone numbers and partial credit card details allows hackers to create targeted phishing messages to trick customers into revealing their full payment information.
Investigators at Amazon said they had not experienced any impact from the Juspay data breach. Similarly, Swiggy confirmed that “no usable banking information, such as our customers’ 16-digit card numbers, was compromised in this incident.”
Indian credit card transactions require two-factor authentication, but international transactions lack that security feature. The Reserve Bank of India (RBI) is discussing the application of the payment aggregator licensing requirements to prevent similar data breaches in the future.
“The Juspay breach shows that 2021 is starting as usual for malicious actors, with long dwell times between intrusion and discovery,” says Saryu Nayyar, CEO of Gurucul. “While some of the data for this breach was obfuscated, there is a very real possibility that attackers could overcome the obfuscation. Even if they don’t, the stolen information could be used for sophisticated social engineering or spear-phishing attacks. “
Payment processor Juspay played down the #databreach that affected 100 million customers, accusing the media of exaggerating the breach. #cybersecurity #respectdata
Nayyar was also concerned about the dwell time, noting that a data breach in mid-August now being reported “indicates that there may be some gaps in the Juspay security stack or in its security operations process.”