/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2019/05/cybersecurity.jpg)
Sensitive data of over 100 million credit and debit cardholders have been leaked on the Dark Web, according to a security researcher. The data included full names, phone numbers, and email addresses of the cardholders. It also included the first and last four digits of their cards. It appears to have been associated with a payments platform, Juspay. Juspay processes transactions for Indian and global merchants including Amazon, MakeMyTrip, and Swiggy, among others. On Sunday, the startup acknowledged the compromise of some of its user data.
About the data breach on Dark Web
According to Rajshekhar Rajaharia, the leak included online transactions that took place at least between March 2017 and August 2020. Gadgets 360 first reported the breach from the files it accessed. However, the leak does not include particular transactions or order details. Further, if a scammer combined the details with the contact information available in the dump, they can run phishing attacks on the cardholders.
Another report by Inc42 reveals that the data on the dark web includes:
• user’s card brand (VISA/Mastercard)
• card expiry date
• the last four digits of the card
• the masked card number
• the type of card (credit/debit)
• the name on the card
• card fingerprint
• card ISIN
• customer and merchant account ID, among several other details.
In all, the breach saw the leak of over 16 fields of data relating to their payment cards for at least 2 crore users. According to Juspay, its a subset of the total number of user records (10 crores). Reportedly, another subset of data leaked that included the phone numbers and email addresses of users.
From Juspay
Juspay has acknowledged the breach, but it also assures that the leaked information was not "sensitive". Juspay founder Vimal Kumar has made it clear that the company detected, and terminated an "unauthorised" attempt on our servers on August 18 2020. He also said, "No card numbers, financial credentials or transaction data were compromised and our card vault, in a different PCI-compliant system with encrypted card data, was never accessed."
Juspay also follows the standards laid down in PCI DSS (Payment Card Industry Data Security Standard). Yet, according to Rajaharia, if the hacker can find out the algorithm that the company uses to generate the card fingerprint, then s/he will be able to decrypt the masked card number.
Read More: From FireEye to WhiteHat Jr, top 10 data breach incidents of 2019-2020 in India