Amazon, Swiggy Payment Processor Reports About 3.5 Crores Cardholders Data Breach

Must Read

Aadhaar-PAN Card linking Deadline Extends!

: The deadline for linking Aadhaar with PAN has been extended by six months, from September 30, 2021 to...

Average Salary Hike In India: 8.6% In 2022, IT Sector Will Offer the Highest [REPORT]

The latest Deloitte’s Workforce and Increment Trends 2021 survey has addressed salary increment by industry, bonus or variable pay plans,...

Sony Zee Merger In India: Could Change the Dynamics of Indian Media Industry!

India's two biggest media networks Sony Pictures Networks India (SPNI) and Zee Entertainment Enterprises Ltd. (ZEEL) announced their merger,...

Juspay, the leading Indian payment processing startup has been revealed to suffer a major data breach in which the masked credit and debit card numbers, email ids, names, and phone numbers of at least 3.5 crore users have been compromised.

The breach was discovered by Indian cybersecurity researcher Rajshekhar Rajaharia who alerted Juspay and various news outlets about the same. Juspay, which processes payments for major tech firms like Amazon, Swiggy, MakeMyTrip, soon followed this up with a blog post of its own, revealing the facts of the matter from their end.

Media Reports Sensationalizing the Incident: Juspay

The breach took place in the early hours of August 18, 2020, according to Juspay. Their account of the matter further holds that their incident response team dealt with the breach as soon as the system had been alerted.


The breached server was accessed via an old AWS access key that hadn’t been recycled. However, the leaked information was non-sensitive. It included masked credit and debit card numbers (with the first and last four digits showing), customer email ids and phone numbers, as well as card expiry. The researcher who reported the matter confirmed the same to various news outlets.

Juspay reassured users that no pins, CVVs, full card numbers, and order details were compromised in the breach. Despite this, Rajaharia believes that if hackers figure out how to decrypt the masked card numbers, it could mean bad news for customers and the firm. However, in response to this claim, Juspay told Gadgets 360 that decrypting card numbers is impossible as their system encrypts them hundreds of times and the algorithm cannot be reverse-engineered.

After the breach, Juspay alerted all of its partners and collaborated with them to strengthen the security of their system. Some of the measures taken to do this were to enable 2 factor authentication for accessing any of its servers and switching to a newer and more secure locking system. Juspay also seems committed to decreasing their data collection and data retention by amping up their compliance with existing data privacy frameworks such as the GDPR and DEPA.

Data Now on the Dark Web

Rajaharia originally found out about the data dump via the dark web, where it is up for sale. According to him, the hacker is contacting interested buyers via telegram and is asking for payment in Bitcoin. One source claims that the seller is charging $8000 for the data.

The hacker behind this breach is also believed to be behind 25 other breaches, one made on Indian online grocery unicorn BigBasket.


Not Just a Breach But a Larger Conspiracy

That’s not all there is to this breach. The news of Juspay’s data leak might have surfaced much sooner were it not for a cybersecurity firm called Cyble.

Based in the US, the startup arrived on the cybersecurity scene about 2 years ago. In this short span, it has become known as a bully by tech startups all over the world, but especially in India.

According to The Ken, one of the ways in which Cyble gains clients is by tracking down major data breaches and contacting the involved companies with deals. If the company rejects, Cyble posts about the breach on their blog. In Juspay’s case, they thought it better to become a client of the firm than to have this news exposed.

However, such wasn’t the case for BigBasket, who refused to partner with Cyble only to have the latter reveal the data leak the former had suffered.

While Juspay’s decision to prevent news of the breach from being known might raise eyebrows, the company seems dedicated to the privacy of its users’ data as it follows the highest level of compliance laid down in the PCI DSS, a payment security protocol.

Cybersecurity Laws in India Need Reform

India has suffered its fair share of data breaches over the past few years. Financial security is an especially hot topic as more users are opting for digital payment options. In terms of digital payments specifically, India is projected to account for 2.2% of the global digital payments market in the next two years.

National Security Advisor Ajit Doval believes that India’s increasing dependence on digital payments could end up becoming a dangerous thing in the future given the increasing number of financial frauds in the country.

With this in mind, India’s data privacy laws need quick reform to keep up with its rapidly changing digital climate owing to the large number of smartphone and internet users in the country.


Please enter your comment!
Please enter your name here

Latest News

The YouTube Partner Program: Build An Audience of Subscribers

Since it first launched in 2005, YouTube has grown to become the king of online streaming video by democratizing...

In-Depth: Dprime

Will ‘TikTok By Microsoft’ Be A Winner?

For the last two years, TikTok has been in the public eye for all sorts of reasons. First, it was the exploded and unparalleled...

Facebook Subscription Model: Looking Beyond Ad Dollars?

Seldom do job listings create a stir this gripping. However, when the job listing in question is a stealth post from Twitter, with a...

Will The Online Food Delivery Market in India End Up Becoming A Two-Horse Race?

It's pretty much evident that the food delivery space in India is all set to get riled up soon enough as one of the...

More Articles Like This