The year 2021 has barely begun and we’ve already got news of data leaks. Not small leaks but extremely large data leakers wherein critical customer data was exposed. If 2020 was known as the year of data breaches, the way things have started, 2021 seems no different.
 
The Dark Web is soon turning to be a treasure trove for cybercriminals to get their hands on valuable and critical customer data and for malicious hackers to make big bucks by selling that data.

Most companies take internal system vulnerabilities for granted. until they are hacked. by then it’s too late – data is exposed, company reputation is affected and worse is when customer trust wavers. Rebuilding all that is never easy!

Companies need to start being more stringent with internal system controls and not wait to get hacked to implement controls.

Let's take a look at 2 of the most recent data leaks which were revealed at the start of 2021 in India.
 
<h2>Juspay Data Leak </h2>
 
Juspay, an Indian payment platform that processes transactions for major companies like Amazon, Flipkart, and Swiggy among others revealed that on 18th August 2020 they faced a “cyberattack limited to an isolated system. Only records of non-sensitive masked card information infringed”.
 
The company further stated that “security audit conducted immediately after this incident has isolated the cause to unrecycled access being compromised. The breach was restricted to an isolated system containing a non-sensitive masked card primarily used for display purposes on merchant UI and cannot be used for completing a transaction. All of the customers’ full card numbers, order information, card PINs, or passwords are secure.
 
Juspay further stated that about 3.5 Crore records with masked card data and card fingerprint and non-anonymized, plain-text email IDs and phone numbers got compromised. identify this breach, believes the number of records could be far more than 3.5 crores as stated by Juspay.
 
The data is available for sale on the DarkWeb website Øbin.net by the hacker with the name “Data”. The data dump was initially priced at $ 8000 and contains a large dump of critical customer data. Although some of the data is masked and encrypted, there is a high possibility of hackers figuring out the code and unmasking the data. if this happens, the concerns would be very high for customers in terms of phishing, identify theft, and credit card frauds.
 
As corrective actions following the data leak, Juspay stated that merchant partners were asked to refresh API keys and invalidate the old keys and the company has enforced 2 Factor Authentication for all tools in the company, among other actions.

<h2>BuyUcoin Data Leak </h2>
 
Independent cybersecurity researcher Rajshekhar Rajaharia has revealed yet another data leak that happened in 2020. This time it is an Indian Cryptocurrency wallet and exchange platform BuyUcoin which was the victim of not one but 3 data leaks in 2020. The leaks happened during the months of June, July, and September 2020 and exposed the personal information of more than 3 lakh BuyUcoin users.
 
The leaked information included personal contact information such as email address, phone numbers, encrypted passwords, user wallet details, transaction history, and bank details such as names, account numbers, IFSC codes, account type details, and deposit history.

All this data is available on the DarkWeb in the form of a MongoDB data dump and its size is 6 GB. What’s interesting is that cybersecurity researcher Rajshekhar Rajaharia’s data was also part of this dump. As per the research, it seems BuyUcoin’s company server was breached which is how the hacker may have got access to all the user’s data.

BuyUcoin initially denied the breach and later released an updated statement on 22nd January 2021 stating “we are thoroughly investigating each and every aspect of the report about malicious and unlawful cybercrime activities by foreign entities in mid-2020. Based on the internal investigation, we will be keeping you updated with the proceedings and conduct a major cybersecurity overhaul throughout 2021 to upgrade platform security.”

The hacking group Shiny Hunters are believed to be responsible for the BuyUcoin data leak and this is the same hacker responsible for other recent data breaches of Big Basket and Juspay among others.

<h4>How Riskpro Can Help You? </h4>

Riskpro offers Cyber Security consulting, audits, and training. For more details, contact us at info@riskpro.in

<b>Author: Anita Jagasia 
Manager – Riskpro India 
January 2021 </b>