Security researchers have found that Juspay, an Indian e-money transaction company, has had a server breach. Sensitive data of over 100 million debit and credit card users have been leaked on the dark web.
Reportedly, the data of the cardholders leaked on the dark web includes full names, phone numbers, and email addresses, along with the first and last four digits of their cards. The Bangalore-based company, which offers payment processing services for e-merchants like Amazon and Swiggy, has also acknowledged that in August 2020 also data of some of its users was compromised.
It was found that between March 2017 and August 2020 the breach and data leak took place. According to a report by Gadgets360, the data found on the dark web included “personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible”. Notably, though, the leaked data did not include transaction and order details.
Another report by Inc42 reveals that the leaked data on the dark web includes “user’s card brand (VISA/Mastercard), card expiry date, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID, and merchant account ID, among several other details. In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 crore users, as conceded by Juspay, a subset of the total number of user records (10 crores) that have been leaked.” Another subset of data which included the phone numbers and email addresses of users was leaked, reportedly.
Even though it was found that the leaked information reveals only partial copies of card numbers, phishing scams can be on the rise due to the breach. The dark web is being used as a market for selling the leaked data for an undisclosed amount.
“On 18 August 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records,” Juspay founder Vimal Kumar said, according to First Post. “The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed,” he added.