“Non-sensitive masked card information, card expiry information, mobile numbers and email ids of a subset of our users were compromised…no full card numbers, no order information, no card PINs & no passwords were leaked,” claimed Juspay in its official blog.
Media reports claimed that credit, debit card data of 100 million users were leaked on the dark web as tipped by a cybersecurity researcher. Commenting on the media reports, the company said that news articles are simply “sensationalizing the incident”.
Explaining the breach, Juspay said, “On 18th Aug 2020 during the early hours, we noticed an unauthorised activity in one of our data stores. An old unrecycled AWS access key was exploited and that enabled the unauthorized access.”
But Juspay claims that the issue was fixed quickly. “Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the hack was terminated and the entry point for this intrusion was sealed. Within the same day, a system audit was done to make sure the entire category of such issues is prevented. Our merchants were informed of the unauthorized access on the same day and were made to take various precautionary measures,” it added.
As far as the impact is concerned, the company said that email IDs and phone numbers were compromised.
“About 3.5 Cr records with masked card data and card fingerprint (which are non-sensitive information) were breached. The masked card data is used for display purposes and can not be used for completing a transaction. A portion of the 10 Cr user metadata in our system which has non-anonymised, plain-text email IDs and phone numbers got compromised,” it explained.