The Indian startup, payment services provider, Juspay, said on Tuesday (05) that it suffered a data breach that affected about 35 million customers, in August last year.
Now, a cybercriminal is selling 365 million data from Indian companies on the dark web and Juspay is among them. The databases for sale were discovered by the researcher, Rajshkhar Rajaharia, who received a sample and published it on Twitter.
Same hacker who was selling @JusPay DB now selling DBs of more Indian companies on Dark Web. @clickindia – 8Mn @chqbook – 1Mn @wedmegood – 1.3Mn. Same Hacker also selling @bigbasket_com too. May be a strong connection between all these recent data leaks. #InfoSec #DataLeak #GDPR pic.twitter.com/zs0mA7NjLR
– Rajshekhar Rajaharia (@rajaharia) January 6, 2021
According to the Times of India newspaper, the startup has big customers and processes payments to internet giants, like Amazon, Swiggy, in addition to other companies.
Justification
Juspay guarantees that the data breached is not compromising or confidential. “Records of around 35 million users, with masked card data and fingerprint of the card (which are non-confidential information) have been breached. The data masked cards are used for display purposes in the merchant’s user interface and cannot be used to complete a transaction”, Writes the company in a statement on the official blog.
However, according to the sample published by the researcher, the data on sale reveals information such as the customer’s name, bank name and even the customers’ mobile number. “He [o cibercriminoso] possibly known as ‘ShinyHunters’, is asking for $ 10,000 for [dados da] BigBasket [e] $ 8,000 for JusPay’s, ”writes Rajaharia on Twitter.
“In addition to the number [do cartão] masked, the data includes the fingerprint of the card, which is a hashed credit card number. Although a hashed card number alone cannot be decrypted, anyone who has access to the Juspay algorithm can decrypt the numbers”, The researcher told the Times of India newspaper.
Juspay reinforces that the breach was restricted to an isolated system, which contains masked card numbers. For the company, this information is not confidential and cannot be used to complete a transaction.
“All customers’ complete card numbers, order information, card PINs or passwords are protected. Compromised data does not contain any transaction or order information”, Justifies Juspay in the statement.
Send help
In another statement, the company reports that it has contracted security services from Verizon and PricewaterhouseCoopers (PwC) to investigate the case and improve security of data, information and systems in the enterprise.
“We have appointed Verizon Business to conduct an independent PCI Forensic Investigation (PFI). We also designate PricewaterhouseCoopers (PwC) to conduct a comprehensive audit of policies, protocols and technologies. This would help to increase resilience and preparedness to mitigate threats from illegal cyber attacks, ”they write.
Juspay’s data breaches were first published on the Singaporian portal The Business Times, on December 12, 2020. But it was Bleeping Computer that published more details about the case, in addition to a screenshot of a user selling data from 25 more companies.
Sources: Rajshekhar Rajaharia; Times of india; Juspay (1), (two); The Business Times; Bleeping Computer.
See the original post at: https://thehack.com.br/dados-sao-vendidos-na-dark-web-apos-incidente-que-afetou-35-milhoes-de-clientes-da-juspay/?rand=48873
