Earlier this week, Juspay had said it faced a cyber-attack on August 18 last year. It had stated that the breach was restricted to an isolated system containing non-sensitive masked cards, primarily used for display purposes on merchant UI (user interface) and cannot be used for completing a transaction.
Juspay had also emphasised that the data compromised during the breach did not contain any transaction information, and that customers’ card numbers and passwords remain secure.
“Following several measures undertaken to further improve information and systems security at Juspay, we have appointed Verizon Business to conduct an independent PCI Forensic Investigation (PFI).
“We have also appointed PricewaterhouseCoopers (PwC) to undertake a comprehensive audit of policies, protocols, and technologies,” Juspay said in a blogpost on Thursday.
These would help enhance resilience and preparedness to mitigate threats from unlawful cyber-attacks, it added.
“With the work undertaken by both Verizon and PwC, we want to combine their global expertise with our experience to ensure that we are more cyber resilient and better prepared to face and defeat similar threats in the future,” Juspay said.
Asked about the reason for delay in initiating forensic investigation, a Juspay spokesperson said: “Yes, we should have initiated the forensic investigation earlier. However, following the cyber-attack, our priority was to ensure cardholders data and API keys are secure, as well as to strengthen our security response to prepare better against any future attempts on our servers and store”.
“Immediately after the incident we worked with our merchant partners and notified them of the intrusion. We issued fresh API keys, though it was later verified that even the API keys in-use were safe. Thereafter, we conducted a thorough internal audit towards enhancing our technology, security protocols,” the spokesperson said.
The spokesperson added that the company has standardised ‘Enforced 2 Factor’ authentication for all infrastructure access routes for all developers.
Juspay had previously said it is in close contact with the relevant government authorities and the RBI regarding the cyber-attack.
It had explained that about 3.5 crore records with masked card data and card fingerprint (which is non-sensitive information) were breached as part of user metadata in its system which has non-anonymised, plain-text e-mail IDs and phone numbers.
The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction, Juspay had said.