Personal data of over 10 crore Indian credit and debit card owners has been leaked, or rather auctioned, for an undisclosed amount of money online on the dark web.
This astonishing discovery was made by an independent cybersecurity researcher Rajshekhar Rajaharia. According to Rajaharia, the data was leaked through a compromised server of Juspay Technologies, a Bangalore based digital payment gateway company.
On Sunday, Rajshekhar Rajaharia, a cybersecurity researcher, revealed that data of people owning credit and debit cards are being sold on the dark web. The data was traded via cryptocurrency Bitcoin.
As per the statement given by Rajaharia to IANS, “For this data, hackers are also contacting via Telegram”.
He also noted that “However, if the hackers can find out the Hash algorithm used to generate the card fingerprint, they will be able to decrypt the masked card number. In this condition, all 10 crore cardholders are at risk”.
Rajaharia says that Juspay follows the Payment Card Industry Data Security Standard (PCI DSS) for collecting and storing their user’s credit and debit card information.
The leaked data contains details of many card owners including the card expiry date, customer ID, first and last four digits of the card and the masked card number. These details along with the owner’s contact information can be used by frauds and scammers to perform phishing attacks on others.
As per the reports by IANS, Juspay claims that neither any financial information nor any credit or debit card numbers were jeopardised amidst the cyber-attack. Also, the true number of stolen data is less than the reported numbers.
Juspay’s spokesperson said in a statement that, “Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records”.
But Juspay insists that data of very “few” people has been disclosed which have dummy values. Juspay also said that the company had already informed all their trading partners regarding the security breach on the same day the theft took place.
However, the spokesperson also added, “No card numbers (like 16-digit card number and other financial credentials) were accessed, as it is stored in a completely different isolated system. No transaction or order information was compromised”.
According to Juspay, the hacker got access to a company’s developer keys which lead them into the new servers thus giving them access to the personal data of Juspay’s clients.
But, Juspay argues that the leaking of masked card numbers is not recognised as sensitive according to the security agreement.
Juspay also assured people that “We are making long-term investments for strengthening security and data governance with industry experts”.
The leaked data includes online transactions from way back March 2017 till August 2020.
Juspay, founded in 2012, is one of the most famous payment platforms that process the transactions for many companies like Amazon, MakeMyTrip, Swiggy, Vodafone, Uber, Cred, Ola and Flipkart.
Most of us have used these apps and now our data is compromised and it is very scary for me but it is very much possible that the leaked data could even be my own!
Image Sources: Google Images
Find the Blogger: @aditi_21gupta
This post is tagged under: Data, Indians, Credit, Debit, Cards, Dark Web, Personal data, online, cybersecurity, Rajshekhar Rajaharia, Juspay Technologies, Bangalore, digital payment gateway, cryptocurrency, Bitcoin, IANS, hackers, Telegram, algorithm, fingerprint, decrypt, Payment Card Industry Data Security Standard, PCI DSS, customer ID, frauds, scammers, phishing attacks, cyber-attack, dummy, trading, 16-digit card number, clients, investments, security, Amazon, MakeMyTrip, Swiggy, Vodafone, Uber, Cred, Ola, Flipkart