Juspay, a Bengaluru-based startup, is a payment partner for many Indian online platforms, including Amazon, Swiggy, and Makemytrip. It has been in business for the past eight years, and every Indian feels safe about online transactions while using Juspay. This is the brand confidence that Juspay built over the years. But a minor hiccup has now shaken this confidence a bit. Juspay has confirmed that a data breach compromised 35 million of its users’ credit and debit card details. However, the company said there was no cause for concern as the leaked data only included the masked card data.
Details of the Juspay Data Breach
Rajashekhar Rajaharia, an independent cybersecurity researcher from India, on January 03, 2021, first revealed his findings of the data breach over his Twitter handle. The compromised information of 10 crore (100 million) Indian cardholders was up for sale on the dark web. While analyzing this data dump, Rajashekhar noticed that the leaked information was from a Juspay data server and required immediate attention.
10 Crore Indian Cardholder’s Cards Data Including Name, Mobile, BankName Leaked from @juspay Server. Available for Sell on DarkWeb.
Story – https://t.co/WczIrFeLel #Infosec #DataLeak #DataBreach #infosecurity #CyberSecurity #GDPR #DataSecurity #Banks #CreditCard #dataprotection pic.twitter.com/X1KYcP8WSh
— Rajshekhar Rajaharia (@rajaharia) January 3, 2021
Acknowledging Rajashekhar’s findings, Juspay in a post on Medium, confirmed the data breach. However, the company was quick to correct multiple media reports stating that only 35 million records were compromised, as opposed to the claims of 100 million, which was “grossly inaccurate.” To clear the air and give more clarity on the incident, Juspay gave the following timeline of the entire episode:
- During the early hours of Aug 18, 2020, Juspay’s engineers noticed an unauthorized activity in one of the data stores.
- An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store.
- Juspay’s incident response team immediately sprang into action traced the intrusion and stopped it. The server used in the cyberattack was terminated and the entry point for this intrusion was sealed.
- On investigating it further, the root cause of the unauthorized access that led to the Juspay data breach was found to be an unrecycled access key that was exploited.
- A system audit was initiated on the same day to make sure the entire category of such issues was prevented.
- Juspay then informed all its merchant partners of the cyberattack and worked with them to take various precautionary measures.
- Over the next few days, a thorough analysis of the audit trails was undertaken to assess the impact of the cyberattack.
Impact of the Data Breach
Juspay confirmed that although 35 million credit and debit card details were leaked, it included only masked card data, meaning, six digits out of sixteen-digit card numbers were masked (hashed). Rajashekhar confirmed it but sounded skeptical saying, “what if the cybercriminals figure out the algorithm used to generate these hashes. They could then use brute force and find out what the original card numbers are.”
Apart from this, Juspay said that the only non-anonymized form of data leaked during the data breach was the plain text email ID and phone numbers. Experts expressed their concerns that this information could again possibly be used in phishing or tele calling scams and attacks. Thus, all Juspay users need to be on alert in the coming months.