Bengaluru-based digital payments gateway Juspay said that about 3.5 crore records with masked card data and card fingerprint were compromised by a hacker.
Cyber security researcher Rajshekhar Rajaharia on Sunday said that data of nearly 10 crore credit and debit card holders in the country is being sold for an undisclosed amount on the Dark Web — leaked from a compromised server of Juspay.
The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction. A part of user metadata in our system which has non-anonymised, plain-text email IDs and phone numbers got compromised,” the company informed.
On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress, it added.
JusPay said no full card numbers, order information, card PINs and passwords were leaked.
“We conducted an audit on the day of the incident which confirmed that our Secure Data Store which hosts the 16-digit encrypted card numbers was not accessed and remains secure. The cyberattack was identified in an isolated/separate system, JusPay said.
“We can confirm that the compromised data does not contain any transaction or order information, as the intrusion was terminated before such an access.”
IANS reported that the data was being sold on the Dark Web for an undisclosed amount via cryptocurrency Bitcoin.
JusPay said that it has made significant investments in security and data governance and its policies are aligned to globally accepted data protection standards.
“We identified gaps in the older access keys and moved them to non-access key-based authentication supported by hosting providers. We have also made two-factor authentication (2FA) mandatory for all the tools accessed by our teams,” JusPay said.