Data of 10 crore credit, debit cardholders leaked on Dark Web; Juspay assures leaked information not 'sensitive'

An independent cyber security researcher has revealed that sensitive data of over 100 million credit and debit cardholders have been leaked, in a breach of Juspay's servers on the dark Web. This includes full names, phone numbers, and email addresses of the cardholders, along with the first and last four digits of their cards. 

Payments platform Juspay, a Bengaluru-based startup, processes transactions for Indian and global merchants including Amazon, MakeMyTrip and Swiggy among others. The startup acknowledged that some of its user data had been compromised in August.

It was found that the breach and data leak took place between March 2017 and August 2020. It included personal details of several Indian cardholders along with their card expiry dates, customer IDs, and masked card numbers with the first and last four digits of the cards fully visible. However, particular transaction or order details are not apparently a part of the leak.

The leaked data of users is being sold on the dark web for an undisclosed amount. Juspay has acknowledged the breach, but it also assures that the leaked information was not 'sensitive'. JusPay told IANS that no card numbers or financial informations were compromised during the cyber-attack and the actual number is much lower than the 10 crore-figure being reported.

"On August 18, 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised," a company spokesperson said in a statement.

"Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records," the spokesperson added.

The company admitted that the hacker gained access to one of Juspay's developer keys and was spawning new computation servers in the developer account, trying to gain access to any accessible data. Juspay, however, said the masked card numbers that have been leaked are not considered sensitive as per compliance.

Founded in 2012, Juspay holds Payment Card Industry Data Security Standard (PCI DSS) Compliance Level 1, which is the highest level of compliance given by the PCI Security Standards Council to payment merchants.