In August, the data belonging to 35 million credit card holders saw compromise through a breach of the popular payment platform known as Juspay. A security researcher reports that the data was recently disbursed on the dark web.

Juspay partners with major online retailers to process payment transactions –as many as 650,000 per 24 hour period– in India. E-commerce sites that use Juspay include Amazon, Swiggy, and Freecharge.

How did Juspay respond to the breach?

On August 18th, as the breach became apparent, the company immediately kicked into high-gear, halting the intrusion, terminating the targeted servers and sealing attackers’ entry points.

“Within the same day, a system audit was done to make sure the entire category of such issues is prevented,” noted Juspay in a statement.

“Our merchants were informed of the cyberattack on the same day and we worked with them to take various precautionary measures to safeguard information.”

What’s worrying researchers about this incident? 

One troubling tid-bit is that this partner to major retail outlets only acknowledged the breach publicly in recent days, despite its occurrence in August.

Have the 35 million records dumped on the dark web jeopardized identities?

Regarding the stolen data, Juspay reports “The masked card data is used for display purposes on merchant UI and cannot be used for completing a transaction”. Thus, consumers’ credit card data is safe.

The company did recognize that non-anonymized data, including phone numbers and email addresses, was compromised in the breach. The theft and release of metadata for 100 million processed transactions also represents a concern.

What now? 

The security researcher who first identified the breach, Rajshekhar Rajaharia, is calling on the government to launch an investigation into Juspay’s decision to keep the breach quiet for five months.

Rajshenkhar's security analysis, as posted on TwitterImage courtesy of Twitter

For more on this story, visit Threatpost.