Indian Payment Platform JusPay BreachedSecurity Researcher Says Leaked Data Offered for Sale on Darknet
JusPay, an Indian online payment platform, acknowledged Monday that it sustained a breach of customer data in August. The announcement came a day after an independent security researcher reported that data on millions of JusPay customers had been offered for sale on a darknet forum.
In a blog post, JusPay acknowledged it sustained a breach on Aug. 18, which the company says it immediately addressed. The breach appears to have stemmed from a recycled Amazon Web Services access key that enabled unauthorized access to its databases, the company said.
Hackers accessed the company’s server containing "masked" card information, card expiration information and mobile telephone numbers, JusPay said. Plus, email IDs were accessed for a subset of its users.
"On 18th Aug 2020 during the early hours, we noticed an unauthorized activity in one of our data stores," according to the JusPay blog posted Monday. "Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated, and the entry point for this intrusion was sealed."
Scale of Impact
The breach revelation from JusPay came a day after Rajshekhar Rajaharia, an independent cybersecurity researcher, shared information with local news media outlets that he said shows nearly 100 million JusPay customer records are listed for sale on the darknet.
The data offered for sale includes 55 million JusPay's customer’s names and contact details and 45 million transaction details, including masked debit and credit card information, Rajaharia says. The data is being offered for sale for $8,000, payable in bitcoin, he adds.
JusPay says, however, that about 30 million records were accessed in the August data breach. The company also says that users' PIN numbers, CVV numbers or passwords were not compromised in the breach.
Rajaharia notes JusPay's masked data that is being offered for sale hid the first six digits of the payment card. The data listed for sale also includes a hash of the entire 16 digits of the card.
"So, if those buying the JusPay data have access to hash algorithms, then they can decrypt the masked number, putting nearly 100 million users at the risk of various payment frauds," Rajaharia tells Information Security Media Group.
Recent Breaches in India
Over the last several months, several large Indian organizations have been affected by data breaches, leading to stolen data being listed for sale on darknet forums.
In December, Rajaharia discovered circulating on darknet forums 2 GB of personally identifiable information, including names, email addresses, contact details, the types of banking accounts used and Permanent Account Numbers, of 7 million debit and credit cardholders in India (see: Personal Details of 7 Million Indian Cardholders Exposed).
In October, Dr. Reddy's Laboratories, a multinational pharmaceutical company based in India, which has been testing a COVID-19 vaccine, was the victim of a ransomware attack. The incident forced the firm to shut down plants in India, Brazil, Russia and the U.K. to prevent further spread (see: Indian Pharmaceutical Company Investigates Security Incident).
And in September, a hacking campaign targeted India's defense forces, including individual soldiers, with phishing emails and malware designed to steal data, according to Seqrite Cyber Intelligence Labs (see: Hackers Target India's Military).