Bengaluru-based JusPay Technologies, which provides mobile checkout and payment processing solutions, on Monday confirmed being hit by a data breach.
JusPay, in a post on Medium, said that one of its servers was infiltrated on August 18, 2020, which resulted in the theft of data belonging to millions of cardholders. It acknowledged the incident after independent cybersecurity researcher Rajshekhar Rajaharia revealed that the compromised information of the cardholders is on sale on the dark web.
10 Crore Indian Cardholder's Cards Data Including Name, Mobile, BankName Leaked from @juspay Server. Available for Sell on DarkWeb.— Rajshekhar Rajaharia (@rajaharia) January 3, 2021
Story - https://t.co/WczIrFeLel #Infosec #DataLeak #DataBreach #infosecurity #CyberSecurity #GDPR #DataSecurity #Banks #CreditCard #dataprotection pic.twitter.com/X1KYcP8WSh
Rajaharia shared screenshots of the data dump, claiming that the breach has affected some 10 crore cardholders. Screenshots displayed users’ names, emails, and phone numbers as well as the name of their bank, card type (credit/debit), card brand, card ISIN, (VISA/Rupay/Mastercard), card fingerprint, and card expiry date, among other things. It still remains available on the dark web, the researcher told TechCircle.
On its part, JusPay said that about 3.5 crore records with masked card numbers and card fingerprints were breached, along with a small portion of 10 crore transaction metadata in its system which had plain-text email IDs and phone numbers.
However, the company emphasized that the masked numbers are only for display purposes and can not be used for making a transaction and that no full card numbers, order information, PINs, CVVs, or passwords have been leaked.
The breach, according to the company, was carried out using an old unrecycled AWS access key, although there is no clarity on who was behind the attack. TechCircle has written to JusPay for further details and is yet to receive a response.
“An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store,” JusPay said, noting that its incident response team immediately engaged and was able to trace the intrusion and stop it mid-way.
After that, the server used for the hack was terminated and the company’s merchant partners were informed about the incident, with the steps they needed to take out of caution.
JusPay counts Flipkart, Ola, Swiggy, Cred, and Uber among its customers -- who use its payment gateway SDK in their apps -- and processes about 2 million transactions every day.