As we informed you before through the detailed Incident Report, unfortunately there has been a data compromise that occurred from our systems as a result of the cyberattack on PayHere on the 2nd of April 2022.
We regret the inconvenience this incident has caused you and we sincerely apologize for putting you through all this. We would like to make you aware of the current status & the way forward with our service.
Please find below FAQs & what you need to do.
What is a data compromise?
- Data compromise means the unauthorized access, disclosure, transmission and/or use of the data by a third party.
Who has compromised the data?
- The cyber attacker has compromised the data on PayHere systems during the attack on the 2nd of April 2022.
What data has been compromised?
- The entire database has been compromised which includes merchant data, customer data & payment data, except the full card numbers.
How the full card numbers were not compromised?
- We do not store full card numbers in our database, since the card payments are directly processed by our partner banks.
- We only get access to the masked card numbers (first 6 digits & last 4 digits) & expiry dates which are returned by partner banks after processing card payments.
Have the masked card numbers been compromised?
- Yes, but a masked card number cannot be used to perform any financial transaction.
Is there a financial risk in compromising masked card numbers?
- No. Since the full card number is needed to perform any financial transaction, there’s no financial risk in compromising masked card numbers.
What PII data has been compromised?
- The PII (Personally Identifiable Information) compromised by the attacker includes names, email addresses, physical addresses, phone numbers, purchase histories, masked card numbers, expiry dates & IP addresses of our merchants & their customers, and the information submitted by the merchants when applying for PayHere service.
What are the steps you need to take after a data compromise?
- Enable two-factor authentication on all your Internet accounts which prevents unauthorized access without manually entering an OTP to log in.
- You can follow this guide to take extra steps to protect your data.
Why it took us one month to inform this data compromise?
- The Cyber Crime Investigation Division (CCID) of Sri Lanka Police started the criminal investigations to identify the attacker soon after the attack & we received legal advice to hold publishing the report as it may interfere with investigations.
Is PayHere systems still under attack?
- No, as we moved to a new server infrastructure, we are confident that the attacker no longer has access to our systems. We have taken all the necessary steps to tighten our security on multiple levels to avoid future attacks.
What are the steps taken to avoid data compromises in the future?
- Throughout the last month, our team worked really hard to strengthen the security of our systems with the help of a team of Cyber Security experts.
- We moved to a new server infrastructure & re-engineered our network architecture to have advanced security measurements to mitigate future attacks from the network level.
- We performed independent source code analysis & vulnerability assessments before re-deploying our systems Live to mitigate security risks at the application level & to ensure that our systems are secure to avoid any future attacks.
What are the legal actions taken about the data compromise?
- The Cyber Crime Investigation Division (CCID) of Sri Lanka Police has started investigations to identify the attacker who compromised the data.
- Sri Lanka CERT (Computer Emergency Readiness Team) is helping us to analyse the root cause of the data compromise & provide us a forensic report on the incident.
- We’re working with law experts to take maximum legal actions against the attacker as per the provisions of the Computer Crime Act & Personal Data Protection Act in Sri Lanka.
This incident is something that we never expected, but we value transparency therefore we acknowledge what happened. We again apologize for taking the time to inform you about this, even though it was due to the legal recommendation & the on-going police investigations.
We’ve learnt a lot from this incident, and we work with a team of security experts to secure current and ongoing data. Despite this serious incident, we are glad that we could avoid any financial losses to any of our users.
We further expect your understanding & support during this tough time as we work really hard with integrity to ensure you a better & secure service ahead.