In what is being considered as one of the biggest credit card data leaks in India, sensitive information of nearly 10 crore cardholders has been leaked on the dark web in form of a data dump. As per latest reports, the Juspay data breach is a result of a compromised server of the Bengaluru-headquartered mobile payment solutions company.

The dump data containing sensitive information, including names of issuing bank, customer ID, masked credit/debit card numbers, expiry date, names, and merchant account ID have been leaked among several other details, and is now being sold for an undisclosed amount. The payment company offers payment processing services for e-merchants like Amazon, MakeMyTrip, and Swiggy. In total, over 16 fields of credit card data have been leaked, as conceded by Juspay, a subset of the total number of 10 crore user records have been leaked. Reportedly, another subset of data was leaked which included email addresses as well as phone numbers of users.

Juspay Data Breach 1

You Might Also Like: COVID19 Vaccines Questions: Registration, Categories & more!

It is being said that the credit card data leak India of Juspay users was concealed in places to expose only partial copies of card numbers, however, the Juspay data breach has now left millions of users vulnerable to phishing scams. Rajshekhar Rajaharia, cyber security researcher, who first spotted the breach, said that Juspay data breach could become a lot more serious if hackers figure out the encryption algorithm.Since the credit card data leak includes mobile numbers, they could call unsuspecting cardholders and trick them into giving out the full card numbers, PIN, CVV as well as OTP. He also explained that since these users are paying customers, the leak holds a lot of importance for scammers and hackers.

Juspay Data Breach 2

Juspay has acknowledged the credit card data leak, but has maintained that the data breach didn’t contain any sensitive information. Juspay founder Vimal Kumar said. “On 18 August 2020, an unauthorised attempt on our servers was detected and terminated when in progress. No card numbers, financial credentials or transaction data were compromised. Some data records containing non-anonymised, plain-text email and phone numbers were compromised, which form a fraction of the 10 crore data records.” He further added, “The masked card data (which is not sensitive) has 2 Cr user records. Our card vault, in a different PCI-compliant system with encrypted card data, was never accessed.”

Stay tuned to this space for latest news. Sign in for our newsletter to get daily updates delivered to your mailbox.