Mumbai: Juspay – a payments processing company suffered a major security breach last August. Over 10 crore Indian cardholders data including debit and credit cardholders information has leaked on the dark web.
Juspay, which processes payments for many companies like Amazon, Swiggy, MakeMyTrip and others has confirmed this security breach incident in its official blog.
“It pains us to inform you that a data breach did happen on 18th August 2020. Non-sensitive masked card information, card expiry information, mobile numbers and email ids of a subset of our users were compromised.”
“However let us assure you that no full card numbers, no order information, no card PINs & no passwords were leaked,” Juspay said in the blog post.
On 18th August, the company had noticed unauthorized activity in one of the servers which store the data.
Hackers had exploited an old unrecycled AWS access key to gain an unauthorized access to data. But an automatic system alerted this sudden increase in the usage of the data server and systems, the company explained.
About 3.5 crore records with masked card data and card fingerprint (non-sensitive information) were breached. The masked card data is for display purposes and has no role in completing a transaction.
The security breach at company’s system has exposed 10-crore user metadata. This data is in form of non-anonymised, plain-text email IDs and phone numbers.
“Only one data system was accessed and the card vault, which is on a different PCI-compliant server with encrypted card-data was never accessed,” stated the company.
The company’s systems does not store any CVV, PINs and passwords – so it is remains uncompromised. Besides, no order and transaction-related data along with API Keys or source code was exposed during the breach.
An Indian cybersecurity researcher Rajshekhar Rajaharia discovered the data breach, according to media reports. He found that the data dump was available for sale on the dark web.
Reacting to Juspay data breach incident, Saurabh Sharma, Senior Security Researcher (GReAT) – APAC, Kaspersky said that data leaks due to internal vulnerabilities has become a common instance in India, especially in the last two years.
Enterprises and institutions have begun to understand the importance of having a strong security framework to save themselves from an external attack by a cybercriminal.
“However, they tend to overlook the internal vulnerabilities that can prove to be very damaging to their reputation and business if exploited by the bad guys,” pointed out Sharma.
Data storage and protection has turned out to be a major concern for a nation like India that strives to grow as a digital economy, according to Sharma.
It is high time that organisations start taking the data protection issue seriously and stay aware of not just the external threats but also the internal potential vulnerabilities to avoid them from being exploited, he suggested.
To enhanced security, Sharma pointed that organisations should carry out regular network and server evaluation, proactive detection of .zero-day vulnerabilities and patching them immediately.
Besides, they should launch attractive bug-bounty programmes, store data securely on cloud, promptly inform the users of a potential leak while updating them on the ways to secure themselves.
Also, Sharma emphasized on giving the employees an in-depth cyber training are a few mandatory steps that large enterprises and institutions should follow in order to stay away from cybercriminals and save their reputation.