Rajshekhar Rajaharia, an independent cybersecurity researcher, on Sunday claimed that almost 10 crore credit card and debit cardholders have their data being sold on the Dark Web via cryptocurrency bitcoin at an undisclosed amount and by anonymous hackers.
This data dump was caused due to leak of such sensitive information from a compromised server of Juspay, a Bengaluru-based payments gateway.
However, as per Juspay, card numbers or financial information were in no way compromised and the total number of data leaked is much lower than that of what is being reported.
“On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised,”: a statement by a company spokesperson. He further added, ” Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records.” Juspay said that only a few phone numbers and email addresses have been leaked which have dummy values because of it’s the alertness of having warned its merchant partners that same day.
Rajaharia said that the data hackers are utilising the platform of Telegram as well for contracting. Rajaharia further added to the concern of these credit card and debit cardholders that if the hackers succeed in decoding the Hash algorithm used to generate the fingerprint, they will gain access to the masked card number. But according to Juspay, the masked card numbers is not sensitive data as per compliance.
The company admits that the data was put at stake once the hacker was able to access one of Juspay’s developer keys and was spawning new computation servers in the developer account.
The company is looking forward to making the needed investments for strengthening security and data governance with industry governance.