Juspay, the leading Indian payment processing startup has been revealed to suffer a major data breach in which the masked credit and debit card numbers, email ids, names, and phone numbers of at least 3.5 crore users have been compromised.
The breach was discovered by Indian cybersecurity researcher Rajshekhar Rajaharia who alerted Juspay and various news outlets about the same. Juspay, which processes payments for major tech firms like Amazon, Swiggy, MakeMyTrip, soon followed this up with a blog post of its own, revealing the facts of the matter from their end.
The breach took place in the early hours of August 18, 2020, according to Juspay. Their account of the matter further holds that their incident response team dealt with the breach as soon as the system had been alerted.
The breached server was accessed via an old AWS access key that hadn’t been recycled. However, the leaked information was non-sensitive. It included masked credit and debit card numbers (with the first and last four digits showing), customer email ids and phone numbers, as well as card expiry. The researcher who reported the matter confirmed the same to various news outlets.
Juspay reassured users that no pins, CVVs, full card numbers, and order details were compromised in the breach. Despite this, Rajaharia believes that if hackers figure out how to decrypt the masked card numbers, it could mean bad news for customers and the firm. However, in response to this claim, Juspay told Gadgets 360 that decrypting card numbers is impossible as their system encrypts them hundreds of times and the algorithm cannot be reverse-engineered.
After the breach, Juspay alerted all of its partners and collaborated with them to strengthen the security of their system. Some of the measures taken to do this were to enable 2 factor authentication for accessing any of its servers and switching to a newer and more secure locking system. Juspay also seems committed to decreasing their data collection and data retention by amping up their compliance with existing data privacy frameworks such as the GDPR and DEPA.
Data Now on the Dark Web
Rajaharia originally found out about the data dump via the dark web, where it is up for sale. According to him, the hacker is contacting interested buyers via telegram and is asking for payment in Bitcoin. One source claims that the seller is charging $8000 for the data.
Not Just a Breach But a Larger Conspiracy
That’s not all there is to this breach. The news of Juspay’s data leak might have surfaced much sooner were it not for a cybersecurity firm called Cyble.
Based in the US, the startup arrived on the cybersecurity scene about 2 years ago. In this short span, it has become known as a bully by tech startups all over the world, but especially in India.
According to The Ken, one of the ways in which Cyble gains clients is by tracking down major data breaches and contacting the involved companies with deals. If the company rejects, Cyble posts about the breach on their blog. In Juspay’s case, they thought it better to become a client of the firm than to have this news exposed.
However, such wasn’t the case for BigBasket, who refused to partner with Cyble only to have the latter reveal the data leak the former had suffered.
While Juspay’s decision to prevent news of the breach from being known might raise eyebrows, the company seems dedicated to the privacy of its users’ data as it follows the highest level of compliance laid down in the PCI DSS, a payment security protocol.
Cybersecurity Laws in India Need Reform
India has suffered its fair share of data breaches over the past few years. Financial security is an especially hot topic as more users are opting for digital payment options. In terms of digital payments specifically, India is projected to account for 2.2% of the global digital payments market in the next two years.
National Security Advisor Ajit Doval believes that India’s increasing dependence on digital payments could end up becoming a dangerous thing in the future given the increasing number of financial frauds in the country.
With this in mind, India’s data privacy laws need quick reform to keep up with its rapidly changing digital climate owing to the large number of smartphone and internet users in the country.