According to Juspay, a system where data was stored by the company was exposed in a cyberattack on August 18, 2020.
‘Customer card details leaked on the Dark Web’ - an all-too-familiar headline these days – was recently related to digital payments player Juspay. Joining the list of multiple internet companies, the Bengaluru-based payments entity was attacked last year, and the incident came to light only recently.
According to details shared by the company, a system where data was stored by the company was exposed in a cyberattack on August 18, 2020. About 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached, the company said.
While Juspay said the data breach did not contain much sensitive and transaction data, and mostly contained masked card data which is displayed on merchant websites, cybersecurity officials raised questions around the need for stronger data protection laws in the country to prevent such breaches, and also ensure that news around such attacks is relayed to the relevant authorities on time.
“In an ideal scenario such breaches should be immediately informed to the banks, card networks, and the banking regulator. Once the breach has been sealed, the public should also be informed,” said a top executive at a cybersecurity firm on condition of anonymity, since he cannot speak on company-specific breaches.
Industry insiders in the know pointed out that the way Juspay tried to deal with the issue by itself and by just informing their merchant partners could come under scrutiny from card networks and the banking regulator.
“It is urgent that a country of such size and scale needs to revise the current cybersecurity policy in place to address newer threats… the Personal Data Protection Bill (PDP) and new national cybersecurity policy must have strong framework to handle critical issues related to cybersecurity and data breach communication,” said Bharat Panchal, Chief Risk Officer, India, Middle East and Africa at FIS, a global payment company.
Without singling out the Juspay issue, Panchal highlighted the need for urgent reforms in this sector, especially since the cybersecurity space has seen rapid innovation from hackers and fraudsters.
Further, he emphasised the need for a quick-response mechanism for organisations to deal with such issues.
“A strong detection system and quick incident-response mechanism would be the key success factors to minimize the damage caused due to such incidents. Additionally, organizations may require to take a serious look to adopt zero trust model, consolidate cybersecurity operations, deploy new prevention technologies, and rethink their approach to risk and regulation,” he added.
The PCI Security Standards Council, which works on payment network security standards to be adopted by companies, has its own guidelines while dealing with such attacks.
“If a cardholder data breach has occurred or is suspected, the payment brands may require an independent forensic investigation to be completed by a PFI listed on the PCI SSC website,” wrote Gill Woodcock, Vice President for programmes at PCI Security Standards Council, in a blog post on how to respond to a data breach.
Defending its position in a detailed blog post, Juspay said all sensitive card details around entire card numbers, transaction details, and others are safe.
However, Juspay said it did not feel the need to inform the larger community since sensitive customer information was never compromised. The company said it felt it needed to inform its merchants and ensure the security of their existing systems, and did just that.
Juspay offers its payment solutions to major ecommerce portals like Big Basket, Swiggy, Dream11, CureFit and others. The startup offers the entire payment suite which can be customised for business requirements. In April 2020, it raised a $21.6 million equity round from Sweden’s Vostok Emerging Finance along with Boston-based Wellington Management Company and Accel.
As per details on its website, the company processes 4 million transactions every day.
As a learning from this incident, Juspay said in the post that it had identified some gaps and undertaken policy changes along with additional investments in cyber threat mitigation.