As a company, we place immense value on our integrity; therefore, we believe it’s our responsibility to share what we know about the cyber attack which occurred on the PayHere website in April 2022.
Accordingly, we’re presenting a detailed report on what happened during the incident, damage through that, what has been compromised and what we have done to avoid future attacks & ensure the data security of our users.
What happened?
As we acknowledged through our Facebook & Twitter accounts, we met with a cyber attack on the 2nd of April 2022 which affected all our services & resulted in 36 hours of service outage.
As soon as we identified the attack, we immediately shutdown all our compromised servers & started deploying our systems in a completely new infrastructure with advanced security features. As a result, we could partially restore our services back from the new infrastructure on the 3rd of April 2022 and restart payments & payout processing.
What was the damage?
The attacker tried to harm our reputation and the trust we earned from our merchants over the years. However, we took immediate steps to recover from the damages and kept our merchants informed about the situation.
The attacker had altered our website landing page with a ‘Hacked’ notice & posted a screenshot on social media from a fake profile. The attacker had also misled the people by mentioning false information about our PCI DSS compliance. We immediately made a public announcement acknowledging the attack and also correcting the misinformation about the PCI DSS compliance.
We informed the public that we do not capture, transmit or store any credit card details through our servers, but the card details are directly processed by our partner bank’s servers which have PCI DSS compliance. Therefore, we can confirm that full credit card numbers of our merchants or their customers had NOT been compromised due to the attack.
The attacker had also hijacked our SMS gateway & had sent an SMS alert to some of our Merchants, informing them that “PayHere is hacked”, with the above misinformation about the card compromise. We immediately took steps to take control of our SMS gateway back & sent a SMS alert, acknowledging the attack & correcting the misinformation about the card compromise.
While we were ensuring our integrity & transparency by communicating about the incident to the public and the respective stakeholders, we were also taking steps to restore our services. We noticed that the attacker had compromised some of our web applications & databases during the attack. We took steps to restore the data from backups & redeploy the web applications from the local files in the new infrastructure.
In summary, the attack resulted in reputational damage to us, but we ensured that no financial damage happened to our merchants or customers due to the attack.
What has been compromised?
As you may know, we offer a completely paperless onboarding process to our merchants in order to get our services. During this process we facilitate file uploading to submit the required documents. We suspect the attacker had intruded on our servers through such a file upload as per the current investigations. Even though we had restricted uploading images & PDF files there, we suspect that the attacker had exploited that to plant a malware. However, we’re working with Sri Lanka CERT (Computer Emergency Readiness Team) currently to find out the exact root cause of the attack & the types of data compromised through that. Until we find out the exact root cause, we have temporarily put a hold on the new merchant onboarding process at the moment, to ensure an improved and a secure approach.
As per the current investigations, we identified that some of our web applications & databases have been compromised. Therefore, we took immediate steps to change all our 3rd party payment integration credentials & the merchant credentials to avoid future external attacks. We regenerated the domain specific Merchant Secrets of our merchants & communicated the new credentials to be updated from their side. We also reset the Merchant Passwords immediately that they used to login to the Merchant Portal & requested the merchants to set new passwords to access the Merchant Portal.
We also figured out that the attacker had planted a webhook in our merchant portal source code to get alerts on new user logins after the attack, where the attacker could log their plain text passwords to an attacker’s server. Even though we had already taken steps to reset the Merchant passwords, we transparently informed over an email about this password compromise only to the affected merchants, who had logged into the Merchant Portal after the attacker planted the webhook. We informed the merchants that they were at risk only if they had used the same password anywhere else on the Internet & requested them to change such to mitigate that possible risk.
However, we emphasise again that NO full card numbers have been compromised during the attack as we do not store full card numbers on our databases. Card payments facilitated by PayHere payment gateway are directly processed on our partner bank servers which has PCI DSS compliance & we store only the masked card numbers returned by the partner banks which cannot be used to process any financial transaction.
What has been done to avoid future attacks?
As we suspect it was a malware attack, we have now shut down the compromised server & moved to a completely new distributed infrastructure to avoid further intrusion. We have also tightened our network security by implementing strict firewall rules, geographical restrictions & rate limiting to block further external attacks.
To avoid any attack through the compromised credentials, we have changed the shared credentials between us & the third party payment processes & our merchants. We have further changed our hashing & authentication algorithms to avoid any possible simulations.
We also worked with a Cyber Security Firm, immediately after the attack to ensure that our systems were safe to go live again. They helped us through a complete source code analysis & vulnerability assessments on our systems & reviewed the overall security of our services before restoring them.
We did that step by step to restore the most critical services first & the rest later. Accordingly, after ensuring its safety, we did an immediate security review on our Payment & Payout Processing System & restored it on the 3rd of April 2022. We kept our Merchant Portal partially under maintenance until they completed the security review & fully restored it on 6th April 2022 after the security review.
What was the legal action taken?
Soon after the attack, we reported a Complaint to the Cyber Crime Investigation Division (CCID) of Sri Lanka Police on the 04th of April 2022. They called us for a statement on the 21st of April 2022 & we provided a detailed statement & submitted the evidence including the server access logs for the Investigations. The CCID has started the investigations to identify the attacker.
Further, we’re currently working with law experts to identify & take legal action against the attacker as per the provisions of the Computer Crime Act & the Personal Data Protection Act in Sri Lanka. Since we are also a victim of this cybercrime just like our users, we’ll take maximum legal action against the criminal with the legal support.
Bottom line
It’s a fact that some threats to cyber safety are often beyond control. Still, we understand the gravity of the situation and care about our users. Security has always been a priority for us as a payment service, even though we could not prevent the incident. We want you to know that we continue to offer you our services, ensuring the security of our systems and network in line with industry best practices. We’ve learnt a lot from this incident, and as we work with the security experts, we ensure your payments are secure now and in future.
Despite this serious incident, we are glad that we could avoid any financial loss to our users and also prevent card data from being compromised.
We sincerely apologize for this and confidently take full responsibility, and we will work to earn your trust.
However, we are thankful for the support we received from our users during the tough time and are very grateful for their patience & understanding.
We started PayHere as an innovative payment service to empower local businesses with Online payment facilities, at a time when the country was far behind in that. Throughout the journey, we’ve faced many challenges, and this is another obstacle that appeared, and soon we’ll overcome that. As a silver lining from this incident, we took this opportunity to improve the security of our services to serve you better and the future local businesses with integrity in the first place.
We will listen to any concerns you might have and answer your questions. You can get in contact by reaching out to us at [email protected].
Update on 2022-05-02:
On 2nd May 2022, the website haveibeenpwned.com published a list of data that was compromised during the attack on our database. The exposed data included names, emails, addresses, phone numbers, purchase histories, IP addresses, and obfuscated card data (card type, first 6 and last 4 digits, expiry date). It’s important to note that no full card numbers were exposed, as we do not store complete card numbers in our database. Since a full card number is required to carry out a card transaction, there is no financial risk associated with the leaked data.
Update on 2022-05-03:
On 3rd May 2022, we issued a public apology to all the parties affected by the incident, outlining the next steps and necessary actions to be taken following a data compromise. The apology was published on our blog and distributed as an email newsletter to all our merchants, urging them to inform their customers as well. This was done as we understand the importance of transparent communication and committed to keeping everyone informed throughout the process.
Update on 2022-06-06:
On 3rd May 2022, we partnered with BugZero, a renowned bug bounty program, in our proactive effort to secure our platform from potential threats. Bug bounty programs, such as BugZero, are instrumental in strengthening security measures by engaging ethical hackers and cybersecurity experts to identify vulnerabilities in software systems. This collaborative approach allows us to swiftly address any vulnerabilities that are discovered, fortifying our infrastructure and creating a safer environment for our valued users moving forward.
Update on 2022-08-04:
On 4th August 2022, Sri Lanka CERT released their report on the incident, which confirmed that there has been no compromise of full card numbers or CVV numbers. The report also clarified that only the masked card numbers (first 6 digits and last 4 digits) and card expiry dates were compromised as financial account data during the incident. The complete report was shared with our partner banks, as well as Visa and MasterCard card networks, for their review and reference. Following this confirmation, the investigation case on the incident was closed by Visa and MasterCard card networks.
Update on 2023-07-27:
On 27th July 2023, Google One‘s dark web search feature highlighted a data breach concerning PayHere. Although this breach is reported as a recent occurrence in July 2023, we want to promptly and clearly emphasize that this is not a new data breach. The data being cited by Google One pertains to the same cybersecurity incident PayHere experienced in April 2022. It seems the data from our prior breach has been recirculated on the dark web, leading to confusion and concern. Understanding the potential anxiety this might induce among our valued users, we want to reiterate that there has been no additional compromise of our systems since we implemented corrective measures following the 2022 breach. Our team has been consistently collaborating with leading cybersecurity professionals to ensure the unwavering security of our platform.
Update on 2023-07-29:
On 29th July 2023, the website f-Secure.com highlighted a data breach involving PayHere. Even though they have highlighted it as a new data breach happened in July 2023, it’s again important to clarify that it’s not a new data breach but is, in fact, related to this same cybersecurity incident happened on April 2022 & the data in question is from the same data dump. As we understand the concerns this might raise among our valued users, we would like to emphasize that there has been no new compromise of our systems since the remedial actions were taken post the 2022 breach & we have been in constant coordination with cybersecurity experts to ensure our platform’s security.
0 Comments