Data of over 10 crore credit, debit card users leaked on dark web after attack on Juspay’s server

Data of over 10 crore credit, debit card users leaked on dark web after attack on Juspay’s server

Data of over 10 crore credit, debit card users leaked on dark web after attack on Juspay’s server

Editor's note: The copy has been updated with the statement of GajShield Infotech CEO. 

Security researchers have found that in a breach of Juspay's servers, sensitive data of over 100 million credit and debit cards users have been leaked on the dark web. The leaked data reportedly includes full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards. Juspay offers payment processing services for e-merchants like Amazon, MakeMyTrip, and Swiggy. Juspay has also acknowledged that data of some of its users was compromised in August 2020.

It was found that the breach and data leak took place between March 2017 and August 2020. According to a report by Gadgets360, the data that was found on the dark web included "personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible". Notably, though, transaction and order details were not part of the leaked data.

A Visa credit card is seen on a computer keyboard in this picture illustration taken September 6, 2017. REUTERS/Philippe Wojazer/Illustration - RC19AC66CFD0

Another report by Inc42 reveals that the leaked data on the dark web includes "user’s card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID, among several other details. In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 crore users, as conceded by Juspay, a subset of the total number of user records (10 crore) that have been leaked." Reportedly, another subset of data was leaked which included the phone numbers and email addresses of users.

Even though it was found that the leaked information of Juspay users was masked in places to reveal only partial copies of card numbers, the breach still leaves users vulnerable to phishing scams, if not a financial scam per see.

The leaked data of users is being sold on the dark web for an undisclosed amount.

Juspay has acknowledged the breach, but it also assures that the leaked information was not "sensitive".

“On 18 August 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records,” Juspay founder Vimal Kumar said. "The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed," he added.

“In the verge of becoming a digital economy from a country that prefers cash transaction, players like Juspay play a very important role in creating trust in digital mode of payment within the existing and target userbase. Such incident, if confirmed, irrespective of data’s sensitivity leaves a negative impression over such digital payment platforms. Also with the level of personal data like Name, Date of Birth, Phone Number, PAN Card details interlinked with each other, a simple data like Email ID and Phone Number which may not look sensitive may turn out to be lethal means of financial fraud at personal level If fallen in wrong hands,” Sonit Jain, CEO of GajShield Infotech said in a statement.