Juspay Data Breach

Juspay Data Breach

Article by Tsaaro

7 min read

Juspay Data Breach

Introduction:

Personal details such as email IDs, full names, phone numbers, and debit and credit card details of over 100 million users of Juspay has been breached by a hacker who posted the data for sale on the dark web, discovered a cyber-researcher last week.

The Bangalore-based start-up processes over 4 million transactions worth Rs 1000 crore every day across e-commerce platforms such as Amazon, Swiggy, Ola and others. The data dump was discovered in the first week of January by cybersecurity researcher, Rajshekhar Rajaharia.

JusPay, an Indian online payment platform, recently acknowledged that it sustained a breach of customer data in August. The announcement came a day after an independent security researcher reported that data on millions of JusPay customers had been offered for sale on a darknet forum. The breach appears to have stemmed from a recycled Amazon Web Services access key that enabled unauthorized access to its databases.

Scope:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

The masked card data (non-sensitive data used for display) that was leaked has two crore records. Although the company claimed that their card vault was in a different PCI compliant system which was never accessed. Doing hundreds of rounds of hashing with multiple algorithms along with a salt (another number appended to the card number) Juspay claims, “The algorithms that we use are currently not possible to reverse engineer even given enough compute resources.”

Scale of Impact:

The breach revelation from JusPay shows nearly 100 million JusPay customer records are listed for sale on the darknet.

The data offered for sale includes 55 million JusPay’s customer’s names and contact details and 45 million transaction details, including masked debit and credit card information. The data is being offered for sale for $8,000, payable in bitcoin. JusPay’s masked data that is being offered for sale hid the first six digits of the payment card. The data listed for sale also includes a hash of the entire 16 digits of the card.

However, the company also says that users’ PIN numbers, CVV numbers or passwords were not compromised in the breach.

Mitigation Strategy:

Juspay responded immediately to the incident and stopped the intrusion. According to the statement given by the company, some of the mitigation steps taken included:

1. Termination of the server used in the attack and sealing its egress/entry points.

2. Within the same day, a system audit was done to make sure the entire category of such issues is prevented. The company said, “Our merchants were informed of the
   cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

3. Refreshing API keys and invalidating the old keys;

4. Enforcing 2 Factor Authentication for all of its tools and moving away from AWS key-based automation.

5. Adding threat-monitoring tools to its security profile to prevent further attacks.

Biggest Concern:

While breaches and subsequent data dumps like this are commonplace these days, what’s worrying, in this case, is the time lag between the breach and Juspay’s public acknowledgment of it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  Data governance is an instrument for determining who within an organization is responsible for overseeing data assets and establishing …

Shubham Bansal

INTRODUCTION: GRC, which stands for Governance, Risk, and Compliance, is a complete system that helps organizations handle risks, follow laws, …

Shubham Bansal

Introduction In a recent survey conducted roughly a 58 million Americans identify as independent workers, who are not employed in …

Shubham Bansal

Introduction: The term Internet of Things (IoT) was first mentioned by Peter T. Lewis at an annual event where he …

Krishna

Introduction: In a landmark move, India’s President recently granted assent to the Digital Personal Data Protection Act, 2023 (DPDPA). This …

Recent Comments

    SHARE THIS POST

    Would you like to read regular updates from Tsaaro.
    Subscribe to our newsletter

    Our Latest Blogs

    Read what the latest hapennings in the cyber world are and learn what the
    experts have to say about them