Updated January 5th, 2021
August 18, 2020 cyberattack limited to an isolated system.
Only records of non-sensitive masked card information infringed
Over the past 8 years, whenever you saw that rotating Juspay logo, you knew your payment will happen quickly & 100% securely. And our teams continue to ensure to keep it that way. As we’ve come to handle millions of transactions everyday privacy and security have always been at the core of whatever we do.
This trust we’ve built over a decade with you and with our partners is the core that fuels our commitment. When something questions that trust, we take it very seriously. However, Juspay was a victim of a cyberattack in one of isolated storage system on August 18, 2020. Our security audit conducted immediately after this incident has isolated the cause to an unrecycled access being compromised.
The breach was restricted to an isolated system containing non-sensitive masked card primarily used for display purposes on merchant UI and cannot be used for completing a transaction. All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information.
Several media reports seem to be sensationalizing the incident. These reports claiming that data of 10 crore cardholders’ was breached or ‘India’s largest breach’ is grossly inaccurate. We request news outlets to contact us directly to corroborate the actual facts.
We are in close contact with the relevant government authorities and the RBI.
Please reach out to us at email@example.com if you any query.
Technical Details of the incident
At Juspay, we have different systems to store data depending on the sensitivity of the information and the functionality.
- On 18th Aug 2020 during the early hours, we noticed an unauthorised activity in one of our data stores.
- An unrecycled access key was exploited and that enabled unauthorized access.
- An automatic system alert was triggered due to a sudden increase in the usage of the system resources on the data store.
- Our incident response team immediately engaged and was able to trace the intrusion and stop it. The server used in the cyberattack was terminated and the entry point for this intrusion was sealed.
- Within the same day, a system audit was done to make sure the entire category of such issues is prevented.
- Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.
- Over the next few days, a thorough analysis of the audit trails was undertaken to assess the impact of the cyberattack.
What is the impact?
- About 3.5 Cr records with masked card data and card fingerprint (which is non-sensitive information) were breached. The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction.
- A part of user metadata in our system which has non-anonymised, plain-text email IDs and phone numbers got compromised.
What is Secure?
- Other than the one data system mentioned above, and none of the other systems was subjected to the cyberattack
- Our card vault, in a different PCI-compliant store with encrypted card data, is secure
- CVV, PINs or Passwords are not stored by Juspay; hence completely secure
- All order and transactional data is secure
- All API Keys or Source Code is secure
What actions have we taken to safeguard our systems?
- We worked with our merchant partners to refresh API keys and invalidate the old keys. Subsequently, the old keys were verified to be safe.
- Enforced 2 Factor Authentication for all tools in the company
- Moved away from access key-based automation. Using IAM roles -based temporary security credentials as a more secure alternative.
- Recycled all older credentials in our systems and set tight key rotation policies.
- Further tightened various internal systems access control protocols, limiting resource access.
- We are engaged with threat intelligence experts and have invested in enhanced threat monitoring tools.
We are committed to further enhancing our security standards
Since our inception, we have made significant investments in security and data governance and our policies are aligned to globally accepted data protection standards.
Fast-growing tech-infrastructure companies are a constant target for cyberattacks. While we follow all requisite industry benchmarks, this incident has further pushed us further to innovate deeply on privacy and security.
We did identify some gaps as we learnt more from our recent experience and have taken several measures involving policy changes and further investment in cyberthreat mitigation tools. We will continue to learn from this incident and remain committed to securing our customers and merchant partners to the best of our ability.
You can write to us at firstname.lastname@example.org for queries or additional questions.
Thank you for your understanding and support 🙏🏻