Recently, crucial data Of 100 million digital payments transactions was leaked on Dark Web. Read on to know more about it…
In what is seemingly the biggest data leak in India’s history in terms of the number of users affected — according to a security researcher, sensitive data of over 100 million credit and debit cardholders has been leaked on the Dark Web. The leaked data, which is in the form of a data dump, appears to have been leaked through a compromised server of Bengaluru-headquartered mobile payment solutions company Juspay.
Juspay have been associated with payments platform that processes transactions for Indian and global merchants including Amazon, MakeMyTrip, and Swiggy, among others. The Bengaluru-based startup acknowledged that some of its user data had been compromised in August.
Founded in 2012, Juspay holds Payment Card Industry Data Security Standard (PCI DSS) Compliance Level 1, which is the highest level of compliance given by the PCI Security Standards Council to payment merchants.
The details available on the Juspay site show that it has a team of over 150 people that reach 50 million users daily. Its products are claimed to process over four million daily transactions and its system development kits (SDKs) are available on over 100 million devices
Details of Compromised Data
It was reported that the data surfaced on the dark Web is related to online transactions that took place at least between March 2017 and August 2020.
The compromised data included personal details of several Indian cardholders along with their full name on the card, card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible, user’s card brand (VISA/Mastercard), the type of card (credit/debit), card fingerprint, card ISIN, customer ID and merchant account ID, among several other details. In all, over 16 fields of data relating to their payment cards have been leaked for at least 2 Cr users, as conceded by Juspay, a subset of the total number of user records (10 Cr) that have been leaked.
Another subset of the leaked database contained users’ phone numbers and email addresses. However, particular transaction or order details are not apparently a part of the leak.
The surfaced details could be combined with the contact information available in the dump by scammers to run phishing attacks on the affected cardholders.
The leaked payment information has been masked in places to reveal only partial copies of card numbers. While this reduces the possibilities of a financial scam, resourceful hackers could still use the information to launch phishing scams to induce victims to hand over their card information.
It is worth noting that the standards laid down in PCI DSS (Payment Card Industry Data Security Standard) have been followed by Juspay in storing users’ card information. However, security experts felt that if the hacker can find out the algorithm used to generate the card fingerprint, then the cyber-criminal will be able to decrypt the masked card number.
Experts often point out that data leaks are getting more common in India as the country is expanding its digital infrastructure but without proper regulations on cybersecurity. The lack of a privacy protection law is also putting no compulsion on companies operating in the country to protect their user data firmly.