The first week of 2021 has recorded the biggest data leak in history. Rajshekhar Rajaharia, a cybersecurity researcher claimed last Sunday that the transaction data of about 100 million debit and credit cardholders was sold in the name of Juspay, a fintech service provider. According to him, a massive amount of data has been leaked from the compromised server of Juspay. Hackers sold data on the Dark Web for an undisclosed amount through cryptocurrency Bitcoin.
Leaked data found on Dark Web
Rajahria discovered personal data of nearly seven million credit and debit cardholders’ details through the dark Web. The data leaked were related to the transactions that occurred between March 2017 to August 2020. He found the dumped data last week.
Rajahria verified the connection with Juspay. This was concluded after comparing the data fields available in the MySQL dump sample files he received from the hacker with the company’s API Document file. He also found that hackers were contacting via Telegram App. He noted,
However, if the hackers can find out the Hash algorithm used to generate the card fingerprint, they will be able to decrypt the masked card number. In this condition, all 10 crore cardholders are at risk.Rajaharia
Also, The CEO of Juspay said that the company does hundreds of rounds of hashing with multiple algorithms. In addition, the algorithms that they use are currently not possible to reverse by engineers.
Juspay is a Bengaluru-based digital payments platform. It uses to processes a huge number of transactions for many customers in big companies. The companies with which it is working are Swiggy, Uber, Flipkart, MakeMyTrip, Airtel, and Amazon. The strategy followed by Juspay in storing users’ card information was the Payment Card Industry Data Security Standard (PCI DSS). Juspay acknowledged the violation occurred on August 18, 2020.
On that day, they detected and terminated an unauthorized attempt on servers during the investigation. But the data seems to have leaked now — by several persons or one person using many IDs.
Juspay clarifying about the leaked data on Dark Web
JusPay told the Institute of Applied Network Security (IANS) that financial information like account balance and transactions or card numbers not leaked during the cyber-attack. The financial credentials were not accessed as they were stored in a complete isolation system. They said that there was an unfortunate compromise in some data records. These were containing non-anonymized, plain-text email, email addresses, and phone numbers of cardholders. They were dummy values that form nearly 10 crore data records.
According to them, the masked card numbers with the first and last four digits that have been leaked are not considered sensitive as per compliance. Further, the actual number of data leaked is much lower than the reported 10 crore-figure. The info. regarding the data leak reached to merchant partners on the very same day.
The company admitted that the hacker gained access to one of Juspay’s developer keys. He was spawning new computation servers in the developer account. Specifically, trying to gain access to any accessible data.
The company said that they are making long-term investments. In order to strengthen security and data governance. Above all, they are going to conduct it with the help of industry experts.
AUTHOR : Aashi Bansal
Do read our another article: PM Modi promises to double the Natural Gas network in next 6 years
Featured Image Credit: Economic Times