The disclosures came after internet security researcher Rajshekhar Rajaharia shared on social media a sample of the data that was available for sale on the dark web. “The database was put for sale by an unknown person who was dealing through Telegram,” Rajaharia told TOI.
Acknowledging the breach, Juspay said on August 18, 2020, the company noticed unauthorised activities in one of its data stores. “An old unrecycled AWS access key was exploited and that enabled the unauthorised access. An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store. Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated and the entry point for this intrusion was sealed,” the company said in its blog.
“About 3.5 crore records with masked card data and card fingerprint (which are non-sensitive information) were breached. The masked card data is used for display purposes and cannot be used for completing a transaction,” Juspay said in its blog. “A portion of the 10 crore user metadata in our system, which has non-anonymised, plain-text email IDs and phone numbers, got compromised,” Juspay said.
Explaining the delay in disclosure, Juspay said, “We verified that our secure data store, which hosts the confidential card numbers, was not accessed or compromised. Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and, as a measure of abundant precaution, they were issued fresh API keys, though it was later verified that even the API keys in use were safe.”
Almost five months after the breach, a seller on the dark net shared a sample dump with Rajaharia. The dark net refers to internet servers that are not accessible to search engines, but which can be accessed through special tools that anonymise user information.
Rajaharia said, “The sample data masks the card number and discloses only six digits in keeping with PCI (payment card industry) standards. But in addition to the masked number, the data includes the card fingerprint — which is a hashed credit card number. While a hashed card number by itself cannot be decrypted, anyone who gets their hands on Juspay’s algorithm can decrypt the numbers. The seller was asking for $8,000 in bitcoins for the entire data dump, which he claimed was around 100 million and about 45 million records of transactions.”
Juspay has said that since CVV and PINs are not stored by the company, this critical information is not compromised. According to those in the payment industry, masked card numbers are useless unless someone has access to the algorithm and key to decrypt the data. But others say that fraudsters can put together the pieces and engage in a phishing attack.
Payments in India are subject to two-factor authentication (they require either a one-time password or PIN), but international use does not have such requirements. The RBI has already asked banks to give customers the option to switch off their cards for international transaction through multiple channels (apps, online, or text messages).