Your Security, Our First Concern: Customer transaction-related data is secure

  • On 18th Aug 2020 during the early hours, we noticed an unauthorised activity in one of our data stores.
  • An unrecycled access key was exploited and that enabled unauthorized access.
  • An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store.
  • Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the cyberattack was terminated and the entry point for this intrusion was sealed.
  • Within the same day, a system audit was done to make sure the entire category of such issues is prevented.
  • Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.
  • Over the next few days, a thorough analysis of the audit trails was undertaken to assess the impact of the cyberattack.
  • About 3.5 Cr records with masked card data and card fingerprint (which is non-sensitive information) were breached. The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction.
  • A part of user metadata in our system which has non-anonymised, plain-text email IDs and phone numbers got compromised.
  • Other than the one data system mentioned above, and none of the other systems was subjected to the cyberattack
  • Our card vault, in a different PCI-compliant store with encrypted card data, is secure
  • CVV, PINs or Passwords are not stored by Juspay; hence completely secure
  • All order and transactional data is secure
  • All API Keys or Source Code is secure
  • We worked with our merchant partners to refresh API keys and invalidate the old keys. Subsequently, the old keys were verified to be safe.
  • Enforced 2 Factor Authentication for all tools in the company
  • Moved away from access key-based automation. Using IAM roles -based temporary security credentials as a more secure alternative.
  • Recycled all older credentials in our systems and set tight key rotation policies.
  • Further tightened various internal systems access control protocols, limiting resource access.
  • We are engaged with threat intelligence experts and have invested in enhanced threat monitoring tools.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Juspay

Juspay

Juspay is India’s leading Payments Operating system powering 30 Mn payment transactions each day. Key products include Hyper SDK, Express Checkout and UPI stack