Juspay Data Breach

  • by

Introduction:

Personal details such as email IDs, full names, phone numbers, and debit and credit card details of over 100 million users of Juspay has been breached by a hacker who posted the data for sale on the dark web, discovered a cyber-researcher last week.

The Bangalore-based start-up processes over 4 million transactions worth Rs 1000 crore every day across e-commerce platforms such as Amazon, Swiggy, Ola and others. The data dump was discovered in the first week of January by cybersecurity researcher, Rajshekhar Rajaharia.

JusPay, an Indian online payment platform, recently acknowledged that it sustained a breach of customer data in August. The announcement came a day after an independent security researcher reported that data on millions of JusPay customers had been offered for sale on a darknet forum. The breach appears to have stemmed from a recycled Amazon Web Services access key that enabled unauthorized access to its databases.

Scope:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

The masked card data (non-sensitive data used for display) that was leaked has two crore records. Although the company claimed that their card vault was in a different PCI compliant system which was never accessed. Doing hundreds of rounds of hashing with multiple algorithms along with a salt (another number appended to the card number) Juspay claims, “The algorithms that we use are currently not possible to reverse engineer even given enough compute resources.”

Scale of Impact:

The breach revelation from JusPay shows nearly 100 million JusPay customer records are listed for sale on the darknet.

The data offered for sale includes 55 million JusPay’s customer’s names and contact details and 45 million transaction details, including masked debit and credit card information. The data is being offered for sale for $8,000, payable in bitcoin. JusPay’s masked data that is being offered for sale hid the first six digits of the payment card. The data listed for sale also includes a hash of the entire 16 digits of the card.

However, the company also says that users’ PIN numbers, CVV numbers or passwords were not compromised in the breach.

Mitigation Strategy:

Juspay responded immediately to the incident and stopped the intrusion. According to the statement given by the company, some of the mitigation steps taken included:

1. Termination of the server used in the attack and sealing its egress/entry points.

2. Within the same day, a system audit was done to make sure the entire category of such issues is prevented. The company said, “Our merchants were informed of the
   cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

3. Refreshing API keys and invalidating the old keys;

4. Enforcing 2 Factor Authentication for all of its tools and moving away from AWS key-based automation.

5. Adding threat-monitoring tools to its security profile to prevent further attacks.

Biggest Concern:

While breaches and subsequent data dumps like this are commonplace these days, what’s worrying, in this case, is the time lag between the breach and Juspay’s public acknowledgment of it.