The massive data breach on payments processing platform Juspay could have potentially grave consequences, even though the company has said that only non-sensitive data was breached and that customers were not at risk.
Juspay has confirmed that 3.5 crore records with masked card data and card fingerprint were breached, while email IDs and phone numbers were also compromised in a breach through unauthorised access in August 2020. Juspay processes over 4 million transactions worth Rs 1000 crore every day across e-commerce platforms such as Amazon, Swiggy, Ola and others.
Some of these companies said they are currently investigating, while Amazon has said they have 'not seen any impact from recent events as reported.”
Swiggy said 'no usable banking information such as the 16 digit card number of our customers was compromised in this incident'.
In a statement on the incident, Juspay said, "Juspay was victim of a cyberattack in one of isolated storage system on August 18, 2020. Our security audit conducted immediately after this incident has isolated the cause to an unrecycled access being compromised. The breach was restricted to an isolated system containing non-sensitive masked card primarily used for display purposes on merchant UI and cannot be used for completing a transaction. All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information.”
Juspay said that it did not inform customers at the time of the breach, because they were not at risk as masked card data, which only shows a few digits of the credit card number, cannot be used for completing a transaction.
What is concerning is that Juspay's public acknowledgement came after the matter was first brought to light on Monday by Rajshekhar Rajaharia, who says he is an independent cyber-security researcher and founder of a digital marketing firm.
While this breach occurred in August, Rajaharia came across this data on the dark web a few days ago in exchange for Bitcoin. And while the company says the number of affected users is 3.5 crore, Rajaharia says that based on information from the dark web seller there were 10 crore emails ID and phone numbers and 4.5 crore card details.
“On 3 January, I came across a seller on the dark web selling two files of data, one with email addresses and mobile numbers of 100 million customers, while the other had stored card data of 46 million transaction details."
Rajaharia has also dismissed the company's claims that since only non-sensitive data was compromised, there is no risk to customers. Rajaharia says the potential risk of such a breach is high, especially because card fingerprint data has been breached, and if a hacker can get access to the encrypted algorithm, it would lead to all the card data being exposed.
“The company masks the middle six-digit but also stores the fingerprint of the card number, which is a hash value of the card number. If the hacker can figure out the algorithm for the card fingerprint, they can easily unmask all digits,” Rajaharia said.
Tobby Simon, founder and president of Synergia Foundation hit out at Juspay for not disclosing the breach to customers immediately, and called the company ‘highly irresponsible.”
“Cryptography is based on algorithms. Quantum computing in AI can crack any cryptography,” Simon said.
“It is highly irresponsible of the company to say that consumers are not at risk. Some of the biggest online frauds have happened around e-commerce companies,” he said.
(Edited by : Abhishek Jha)