Pedestrians cross the road in India showing impact of data breach on payment processor

Amazon, Swiggy Payment Processor Juspay Downplays Data Breach That Led To 100 Million Records Circulating on the Dark Web

Juspay downplayed the massive data breach that affected millions of customers, saying it did not expose any sensitive customer information.

The Bengaluru-based company acknowledged the breach five months after a researcher found 100 million records selling on the dark web. Juspay claims that the media sensationalized the breach, blowing it out of proportion.

The Indian payment processor handles more than four million daily transactions through Amazon, Swiggy, MakeMyTrip, Vodafone, Uber, Ola, and other ecommerce platforms

Indian payment processor Juspay acknowledges but downplays a massive data breach

The Indian payment processor Juspay released a statement saying that it was the victim of a cyberattack on one of its isolated storage systems on August 18, 2020. The company said that the data breach occurred when “an old unrecycled AWS access key was exploited,” enabling unauthorized access and triggering an automatic system alert.

Juspay said its failure to inform the public of the data breach was because the victims were not at risk.

“Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe,” the company’s statement read.

The Bengaluru-based payment processor acknowledged the data breach after an independent cybersecurity expert Rajshekhar Rajaharia disclosed the breach five months after it happened.

One hundred million customers were affected by Juspay’s data breach

Juspay confirmed that 35 million records with masked card data and card fingerprint were breached. Similarly, 100 million “non-anonymized” customers’ user metadata information containing email IDs and phone numbers were accessed by unauthorized attackers in the August 2020 breach.

Rajaharia tweeted that the data included names, mobile numbers, and bank names. And Inc42 reported that the leaked data contained 16 fields including “card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID.”

However, Juspay claimed that “these reports claiming that data of 100 million cardholders’ was breached or ‘India’s largest breach’ is grossly inaccurate.”

The payment processor also noted that the breach was restricted to an isolated system storing masked card details for display purposes on merchant UI. Consequently, the exposed details could not be used for completing a transaction because masked card data only displays a few credit card numbers.

The company clarified that the information did not contain any order or transaction information and that “all of the customers’ full card numbers, order information, card PIN, or passwords are secure.”

Juspay’s data marketed on the dark web marketplace

Rajaharia said he stumbled upon Juspay’s data dump selling on the dark web marketplace for $8,000 worth of bitcoins.

“On 3 January, I came across a seller on the dark web selling two files of data, one with email addresses and mobile numbers of 100 million customers, while the other had stored card data of 45 million transaction details,” the cybersecurity researcher said.

Rajaharia believes that the risks posed by Juspay’s data breach were higher than the payment processor had initially acknowledged. He points out that storing the card’s fingerprint alongside the masked card number from which it was generated could potentially lead to the eventual unmasking of the six hidden numbers.

“If the hacker can figure out the algorithm for the card fingerprint, they can easily unmask all digits,” Rajaharia said.

Additionally, having customers’ emails and phone numbers and partial credit card details allows hackers to create targeted phishing messages duping customers into revealing their full payment information.

Amazon investigators said they had not experienced any impact from Juspay’s data breach. Similarly, Swiggy confirmed that “no usable banking information such as the 16-digit card number of our customers was compromised in this incident.”

Indian credit card transactions require two-factor authentication, but international transactions lack that security feature. The Reserve Bank of India (RBI) is reportedly discussing the enforcement of payment aggregator licensing requirements to prevent similar data breaches in the future.

“The Juspay breach shows that 2021 is starting off Business as Usual for malicious actors, with long dwell times between intrusion and discovery,” says Saryu Nayyar, CEO at Gurucul. “While some of the data in this breach was obfuscated, there is a very real possibility that the attackers could overcome the obfuscation. Even if they don’t, the stolen information could be used for sophisticated social engineering or spear-phishing attacks.”

Nayyar was also concerned about the dwell time, noting that a mid-August data breach being reported now “indicates there may have been some gaps in Juspay’s security stack or their security operations process.”