Juspay Data Breach

Article by Tsaaro

7 min read

Juspay Data Breach

Introduction:

Personal details such as email IDs, full names, phone numbers, and debit and credit card details of over 100 million users of Juspay has been breached by a hacker who posted the data for sale on the dark web, discovered a cyber-researcher last week.

The Bangalore-based start-up processes over 4 million transactions worth Rs 1000 crore every day across e-commerce platforms such as Amazon, Swiggy, Ola and others. The data dump was discovered in the first week of January by cybersecurity researcher, Rajshekhar Rajaharia.

JusPay, an Indian online payment platform, recently acknowledged that it sustained a breach of customer data in August. The announcement came a day after an independent security researcher reported that data on millions of JusPay customers had been offered for sale on a darknet forum. The breach appears to have stemmed from a recycled Amazon Web Services access key that enabled unauthorized access to its databases.

Scope:

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

The masked card data (non-sensitive data used for display) that was leaked has two crore records. Although the company claimed that their card vault was in a different PCI compliant system which was never accessed. Doing hundreds of rounds of hashing with multiple algorithms along with a salt (another number appended to the card number) Juspay claims, “The algorithms that we use are currently not possible to reverse engineer even given enough compute resources.”

Scale of Impact:

The breach revelation from JusPay shows nearly 100 million JusPay customer records are listed for sale on the darknet.

The data offered for sale includes 55 million JusPay’s customer’s names and contact details and 45 million transaction details, including masked debit and credit card information. The data is being offered for sale for $8,000, payable in bitcoin. JusPay’s masked data that is being offered for sale hid the first six digits of the payment card. The data listed for sale also includes a hash of the entire 16 digits of the card.

However, the company also says that users’ PIN numbers, CVV numbers or passwords were not compromised in the breach.

Mitigation Strategy:

Juspay responded immediately to the incident and stopped the intrusion. According to the statement given by the company, some of the mitigation steps taken included:

1. Termination of the server used in the attack and sealing its egress/entry points.

2. Within the same day, a system audit was done to make sure the entire category of such issues is prevented. The company said, “Our merchants were informed of the
   cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

3. Refreshing API keys and invalidating the old keys;

4. Enforcing 2 Factor Authentication for all of its tools and moving away from AWS key-based automation.

5. Adding threat-monitoring tools to its security profile to prevent further attacks.

Biggest Concern:

While breaches and subsequent data dumps like this are commonplace these days, what’s worrying, in this case, is the time lag between the breach and Juspay’s public acknowledgment of it.

Tsaaro Consulting

In today’s fast-paced business environment, organisations are constantly seeking innovative methods to adapt and scale efficiently. Staff Augmentation Consulting services, …

Tsaaro Consulting

INTRODUCTION: In today’s interconnected world, businesses operate across borders, serving customers globally. This inevitably leads to the transfer of personal …

Shubham Bansal

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Tsaaro Consulting

At the Singapore International Cyber Week 2024, The Cyber Security Agency (CSA) of Singapore released Guidelines on Securing Artificial Intelligence …

Tsaaro Consulting

The European Data Protection Board (EDPB) on 8th October 2024, issued draft Guidelines 1/2024 on processing of personal data based …

Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them