A statement released by Juspay on 5th January 2021 confirms that the Indian-based company has been the target of a cyberattack resulting in a large-scale data breach. Juspay is a start-up company that provides mobile checkout and payment processing solutions to a range of e-commerce platforms, including Amazon, Swiggy, Makemytrip, Ola and several others, processing on average 4 million transactions per day. According to the company’s statement, the breach occurred on the 18th August 2020, and as a result 35 million records containing masked credit card numbers and fingerprints were compromised.
The data breach first came to the public’s attention on 3rd January 2021, when cybersecurity researcher Rajshekhar Rajaharia came across the Juspay data dump being offered for sale on the dark web for $8,000. According to Juspay’s statement the data dump includes 35 million records containing non-sensitive information like masked credit card numbers (only show a few digits of the number), credit card fingerprints, information on the card type and the bank that issued the card, the holder’s name, email ID and phone number. The company ensured the general public that masked credit card numbers and fingerprints cannot be used to complete transactions, and that customers’ full credit card numbers, order information, card PINs and passwords were secure and had not been compromised. Rajaharia pointed out that the data breach might be bigger than initially acknowledged by Juspay. While the company stated the breach involved 35 million records, the data dump the researcher came across on the dark web was divided in two files, one containing the emails and phone numbers of 100 million customers, and the other containing 46 million credit card details.
It emerged that Juspay had been aware of the breach from the moment it occurred, on 18th August 2020, but did not disclose this to the general public. The company came forward with a public statement only after the cybersecurity researcher Rajaharia discovered the data dump on the dark web and posted information about the discovery on Twitter. Juspay acknowledged that it had been aware of the cyberattack, and did not publicly inform customers as the breach did not involve sensitive data and therefore, according to the company, did not present a risk to customers. On the day of the cyberattack, the Indian-based company immediately performed a security audit, informed its partners and together they took precautionary measures.
As stated by Juspay, the threat actors appear to have accessed one isolated server by using an unrecycled Amazon Web Service (AWS) access key. This unauthorised access triggered an automatic system alert and gave Juspay the chance to respond to the incident and stop the intrusion. In its public acknowledgement, Juspay stated they had found some gaps in security, and were therefore improving their security policies and making additional investments in cyber threat mitigation.
Contrary to what was stated by Juspay, the researcher Rajaharia highlighted that this breach could be potentially detrimental to users. In fact, there is the risk that the threat actors will manage to figure out the hashing algorithm used for the credit card fingerprint, and hence be able to unveil the full 16-digit credit card number. In addition, considering that users’ email IDs and mobile phone numbers were stored in plain-text format, the risk arises that scammers will contact cardholders and adopt social engineering techniques to get them to reveal confidential information, for instance their password, CVV and PIN.
The Juspay data breach has raised concerns over the need for stronger data protection laws in India. In addition, the time lag between the occurrence of the breach and Juspay’s public acknowledgment, once again has raised debates on the need for accountability and for transparency in promptly informing the public of cyberattacks that may affect their personal information.
On the 8 December 2020, prominent US-based cybersecurity company FireEye announced on its blog that they had been the victims of a cyber-attack. The nature of the attack has led to experts to theorise that it was carried out by a state-sponsored hacking group, currently believed to be Cozy Bear (also known as APT29).Read more
Reports on a new password leak made headlines at the beginning of June 2021 and led to widespread panic over the security implications of the leak, dubbed the largest in history with 8.4 billion compromised passwords.Read more