Cost companies supplier Juspay, which processes transactions for online giants like Amazon, Swiggy and different firms, on Monday admitted to a knowledge breach that came about in August 2020. The breach resulted in about 3.5 crore data with masked card numbers and private knowledge getting compromised.
The disclosures came after internet security researcher Rajshekhar Rajaharia shared on social media a sample of the data that was available for sale on the dark web. “The database was put for sale by an unknown person who was dealing through Telegram,” Rajaharia told TOI.
In recognition of the violation, Juspay announced on 18 August 2020 that the company had found illegal activities in one of its data stores. “An old unrecycled AWS access key has been abused to allow unauthorized access.
The automated system warning was caused by a sudden increase in the use of system resources in the data store. Our incident management team quickly engaged and was able to monitor and avoid the intrusion. The server used in the hack has been terminated and the entry point for this attack has been sealed,” the company said in its blog.
“Over 3.5 crore records with masked card data and card fingerprint data (which are non-sensitive information) have been compromised. The masked card data is used for display purposes and cannot be used to complete a transaction,” Juspay said in his blog. “A portion of our system’s 10 crore user metadata, which has non-anonymised, plain-text email IDs and phone numbers, has been compromised,” Juspay said.
Explaining the delay in disclosure, Juspay said, “We have checked that our protected data store, which hosts confidential card numbers, has not been accessed or compromised. All of our customers were therefore protected from any kind of danger. Our priority was to notify traders and, as a measure of caution, to issue fresh API keys, although it was later checked that even the API keys in use were secure.”
Almost five months after the violation, the seller posted a sample dump with Rajaharia on the darknet. Darknet refers to internet servers that are not open to search engines but can be accessed through special tools that anonymize user information.
Rajaharia said, “The sample data masks the card number and shows just six digits in compliance with the PCI (Payment Card Industry) requirements. However, in addition to the masked number, the data contains the fingerprint card—which is a hashed credit card number. While a hashed card number cannot be decrypted on its own, anyone who gets their hands on the Juspay algorithm can decrypt the numbers. The seller asked for $8,000 in bitcoins for the entire data dump, which he said was about 100 million and about 45 million transaction records.”
Juspay has said that since CVV and PINs are not stored by the company, this critical information is not compromised. According to those in the payment industry, masked card numbers are useless unless someone has access to the algorithm and key to decrypt the data. But others say that fraudsters can put together the pieces and engage in a phishing attack.
Payments in India are subject to two-factor authentication (they require either a one-time password or PIN), but international use does not have such requirements. The RBI has already asked banks to give customers the option to switch off their cards for an international transaction through multiple channels (apps, online, or text messages).