Payment Processing Firm Of Amazon, Swiggy Has Leaked Debit/Credit Card Info Of 10 Crore Users!
In what appears to possibly be India’s biggest data leak, in terms of volumes of users affected, the data of about 10 crore cardholders have been leaked all over the dark web, due to a compromised server of an Indian mobile payment solutions company JusPay.
The Bengaluru based company provides payment gateways for Indian and global giants like Amazon, Airtel, Swiggy, Flipkart, Uber and Vodafone, including others.
Sensitive Data of 10 Cr Cardholders Leaked
It has been reported that full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards have been leaked over the dark web.
Screenshots accessed by another source reveal that the circulated ‘sensitive’ data include a user’s card brand (VISA/Mastercard), expiry date of card, the last four digits of the card, the masked card number, the type of card (credit/debit), the name on the card, card fingerprint, card ISIN, customer ID and merchant account ID, among several other details.
It also reports that in total, over 16 fields of data related to payment cards have been leaked for at least 2 crore users, among the 10 crore record.
The leaked information, in the form of a data dump, was on sale on the dark Web and was discovered last week by the cybersecurity researcher Rajshekhar Rajaharia.
He informed that the seller hacker was contacting buyers on Telegram and was asking payments in Bitcoin.
Juspay’s Response on the Data Leak
The payments solution company confirmed the data breach.
According to NDTV, the data surfaced on the dark Web is related to online transactions that took place at least between March 2017 and August 2020.
According to Juspay founder Vimal Kumar,
“On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised.
Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 Cr data records.”
Kumar added that the data records compromised were anonymised on the servers, and are not considered to be sensitive.
He also claimed that the 10 crore records were not the card details and were the customer metadata, with a subset containing email and mobile information of users.
“The masked card data (non-sensitive data used for display) that was leaked has two crore records. Our card vault is in a different PCI compliant system and it was never accessed.”
However, Rajaharia alleges that despite being masked, the card numbers could be decrypted if a hacker would figure out the algorithm used for the card fingerprints.
Also, Juspay claims that it processes over 4 million transactions per day, catering to over 100 million devices.