Days after the data of 2 crore BigBasket users was available for sale on the dark web, now over 3.5 crore records of payment platform Juspay's is available for sale. The breach took place on August 18, 2020, however, the company had issued a clarification in the blog post only after entrepreneur & internet security researcher Rajshekhar Rajaharia spotted the data being sold on the dark web.
Datastore of Juspay, a Bengaluru-based start-up was compromised in August 2020, resulting in the breach of over 3.5 crore records. A partner for some of the leading merchants including Amazon, Swiggy, MakeMyTrip, Yatra, Freecharge, BookMyShow, Snapdeal, amongst others, processes around 650k transactions per day.
While the screenshots available on the web have cardholder's details such as bank name, last four digits of the card, expiry month and year, amongst others, Juspay claims that 3.5 crore records with masked card data and card fingerprint (which are non-sensitive information) were breached.
And a portion of the 10 crore user metadata in Juspay system, which has non-anonymised, plain-text email IDs and phone numbers, got compromised. According to the company, the masked card data is used for display purposes and cannot be used for completing a transaction. Juspay also claims that no CVV, PINs or Passwords are stored by the company and hence this data was not compromised. Neither the order, transactional data, API keys or Source Code were compromised.
This data breach happened during early hours on August 18, 2020, when the company noticed an unauthorised activity in one of the data stores as an old unrecycled AWS access key was exploited enabling the unauthorised access. Juspay has different systems to store data depending on the sensitivity of the information and the functionality.
As an automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store, Juspay's incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated and the entry point for this intrusion was sealed. While the merchants were informed of the incident and system audits were conducted on the same day, the company conducted a thorough analysis of the audit trails to gather forensic information to assess the impact of the issue.
Following the breach, Juspay has worked with the merchant partners to refresh API keys and invalidate the old keys, enforced 2 Factor Authentication for all tools in the company, moved away from AWS access key based automation, and using IAM roles-based temporary security credentials as a more secure alternative. It has also recycled all older credentials in the systems and set tight key rotation policies. Juspay has also engaged with threat intelligence experts and invested in threat monitoring tools.