The compromise of personal information including email addresses, full names, phone numbers, and credit/debit card details of more than 100 million Juspay users has been reported by a cyber researcher, who discovered that the stolen data was up for sale on the dark web just last week.
Juspay, a Bangalore-based startup, facilitates over 4 million transactions daily, amounting to Rs 1000 crore, across various e-commerce platforms like Amazon, Swiggy, Ola, and others. The cybersecurity researcher, Rajshekhar Rajaharia, uncovered the data breach in early January.
Acknowledging the breach, Juspay, an Indian online payment platform, disclosed that it had experienced a data breach involving customer information in August. The announcement followed a day after an independent security researcher disclosed that a darknet forum was hosting data of numerous Juspay customers for sale. The breach is thought to have originated from a reused Amazon Web Services access key, which provided unauthorized entry to the databases.
The Payment Card Industry Data Security Standard (PCI DSS) lays down requirements aimed at ensuring the security of environments handling credit card data, including its processing, storage, and transmission.
The leaked data, which includes masked card data (non-sensitive data used for display), encompasses two crore records. Although the company asserts that its card vault, located in a distinct PCI compliant system, remained untouched. Through a series of multi-algorithmic hashing rounds coupled with a unique salt (an additional number attached to the card number), Juspay claims that their algorithms are presently impervious to reverse engineering, even given significant computational resources.
Magnitude of Impact:
The breach incident revealed by Juspay exposes nearly 100 million customer records from the platform available for purchase on the darknet.
The offered dataset comprises 55 million customer names and contact information, and 45 million transaction particulars, encompassing concealed credit and debit card data. This information is being marketed for $8,000, payable in bitcoin. The masked Juspay data on sale conceals the initial six digits of payment cards. Additionally, the listed data includes a hash of the complete 16-digit card number.
Notably, the breach did not compromise users’ PIN numbers, CVV numbers, or passwords.
Juspay responded promptly to the breach by terminating the compromised server and securing its entry and exit points. Immediate system audits were conducted to prevent similar incidents. Juspay informed its merchants about the cyberattack on the same day, collaborating with them to implement precautionary measures.
Mitigation steps undertaken include:
Deactivation of the attacked server and securing its access points.
Immediate system audit to prevent similar issues.
Renewal of API keys and invalidation of old ones.
Mandatory implementation of Two-Factor Authentication (2FA).
Transition away from AWS key-based automation.
Addition of threat-monitoring tools for enhanced security.
While breaches and subsequent data leaks have become increasingly common, the significant concern in this instance lies in the time gap between the breach occurrence and Juspay’s public acknowledgement of the incident.
To avert data breaches and safeguard sensitive information, it is essential to employ robust data protection and privacy services. One such solution is Tsaaro data protection and privacy services, which can play a pivotal role in preventing unauthorised access and ensuring the security of user data in the digital landscape.