According to the blogpost, the data breach was restricted to an isolated system containing non-sensitive masked card, primarily used for display purposes on merchant user interface (UI) and cannot be used for completing a transaction.
“All of the customers’ full card numbers, order information, card PINs, or passwords are secure. The compromised data does not contain any transaction or order information,” Juspay said. “About 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached… A part of user metadata in our system which has non-anonymised, plain-text e-mail IDs and phone numbers got compromised.”
Juspay faced a cyberattack on 18 August 2020. While reports suggested that data of 10 crore cardholders was breached, the company termed these as “grossly inaccurate”. Juspay said one of its isolated storage systems was attacked, and a security audit conducted immediately after the incident isolated the cause to an unrecycled access being compromised.
The company said its merchant partners were informed of the cyberattack and it worked with them to take various precautionary measures to safeguard information.
In Tuesday’s blogpost, Juspay said it is in close contact with relevant government authorities and the Reserve Bank of India regarding this matter. “We are engaged with threat intelligence experts and have invested in enhanced threat monitoring tools,” it said, adding that it has tightened various internal systems access control protocols, limiting resource access.