[Notice: Cyber Crime Investigation Division (CCID) of Sri Lanka Police is currently investigating this cyber crime incident to identify the criminal & the updates on the investigation will also be amended to this blog post continuously.]
As a company, we place immense value on our integrity; therefore, we believe it’s our responsibility to share what we know about the cyber attack which occurred on the PayHere website in April 2022.
Accordingly, we’re presenting a detailed report on what happened during the incident, damage through that, what has been compromised and what we have done to avoid future attacks & ensure the data security of our users.
As soon as we identified the attack, we immediately shutdown all our compromised servers & started deploying our systems in a completely new infrastructure with advanced security features. As a result, we could partially restore our services back from the new infrastructure on the 3rd of April 2022 and restart payments & payout processing.
What was the damage?
The attacker tried to harm our reputation and the trust we earned from our merchants over the years. However, we took immediate steps to recover from the damages and kept our merchants informed about the situation.
The attacker had altered our website landing page with a ‘Hacked’ notice & posted a screenshot on social media from a fake profile. The attacker had also misled the people by mentioning false information about our PCI DSS compliance. We immediately made a public announcement acknowledging the attack and also correcting the misinformation about the PCI DSS compliance.
We informed the public that we do not capture, transmit or store any credit card details through our servers, but the card details are directly processed by our partner bank’s servers which have PCI DSS compliance. Therefore, we can confirm that full credit card numbers of our merchants or their customers had NOT been compromised due to the attack.
The attacker had also hijacked our SMS gateway & had sent an SMS alert to some of our Merchants, informing them that “PayHere is hacked”, with the above misinformation about the card compromise. We immediately took steps to take control of our SMS gateway back & sent a SMS alert, acknowledging the attack & correcting the misinformation about the card compromise.
While we were ensuring our integrity & transparency by communicating about the incident to the public and the respective stakeholders, we were also taking steps to restore our services. We noticed that the attacker had compromised some of our web applications & databases during the attack. We took steps to restore the data from backups & redeploy the web applications from the local files in the new infrastructure.
In summary, the attack resulted in reputational damage to us, but we ensured that no financial damage happened to our merchants or customers due to the attack.
What has been compromised?
As you may know, we offer a completely paperless onboarding process to our merchants in order to get our services. During this process we facilitate file uploading to submit the required documents. We suspect the attacker had intruded on our servers through such a file upload as per the current investigations. Even though we had restricted uploading images & PDF files there, we suspect that the attacker had exploited that to plant a malware. However, we’re working with Sri Lanka CERT (Computer Emergency Readiness Team) currently to find out the exact root cause of the attack. Until we find out the exact root cause, we have temporarily put a hold on the new merchant onboarding process at the moment, to ensure an improved and a secure approach.
As per the current investigations, we identified that some of our web applications & databases have been compromised. Therefore, we took immediate steps to change all our 3rd party payment integration credentials & the merchant credentials to avoid future external attacks. We regenerated the domain specific Merchant Secrets of our merchants & communicated the new credentials to be updated from their side. We also reset the Merchant Passwords immediately that they used to login to the Merchant Portal & requested the merchants to set new passwords to access the Merchant Portal.
We also figured out that the attacker had planted a webhook in our merchant portal source code to get alerts on new user logins after the attack, where the attacker could log their plain text passwords to an attacker’s server. Even though we had already taken steps to reset the Merchant passwords, we transparently informed over an email about this password compromise only to the affected merchants, who had logged into the Merchant Portal after the attacker planted the webhook. We informed the merchants that they were at risk only if they had used the same password anywhere else on the Internet & requested them to change such to mitigate that possible risk.
However, we emphasise again that NO full card numbers have been compromised during the attack as we do not store full card numbers on our databases. Card payments facilitated by PayHere payment gateway are directly processed on our partner bank servers which has PCI DSS compliance & we store only the masked card numbers returned by the partner banks which cannot be used to process any financial transaction.
What has been done to avoid future attacks?
As we suspect it was a malware attack, we have now shut down the compromised server & moved to a completely new distributed infrastructure to avoid further intrusion. We have also tightened our network security by implementing strict firewall rules, geographical restrictions & rate limiting to block further external attacks.
To avoid any attack through the compromised credentials, we have changed the shared credentials between us & the third party payment processes & our merchants. We have further changed our hashing & authentication algorithms to avoid any possible simulations.
We also worked with a Cyber Security Firm, immediately after the attack to ensure that our systems were safe to go live again. They helped us through a complete source code analysis & vulnerability assessments on our systems & reviewed the overall security of our services before restoring them.
We did that step by step to restore the most critical services first & the rest later. Accordingly, after ensuring its safety, we did an immediate security review on our Payment & Payout Processing System & restored it on the 3rd of April 2022. We kept our Merchant Portal partially under maintenance until they completed the security review. (We will entirely restore the Merchant Portal after the full security review.)
What was the legal action taken?
Soon after the attack, we reported a Complaint to the Cyber Crime Investigation Division (CCID) of Sri Lanka Police on the 04th of April 2022. They called us for a statement on the 21st of April 2022 & we provided a detailed statement & submitted the evidence including the server access logs for the Investigations. The CCID has started the investigations to identify the attacker.
Further, we’re currently working with law experts to identify & take legal action against the attacker as per the provisions of the Computer Crime Act & the Personal Data Protection Act in Sri Lanka. Since we are also a victim of this cybercrime just like our users, we’ll take maximum legal action against the criminal with the legal support.
It’s a fact that some threats to cyber safety are often beyond control. Still, we understand the gravity of the situation and care about our users. Security has always been a priority for us as a payment service, even though we could not prevent the incident. We want you to know that we continue to offer you our services, ensuring the security of our systems and network in line with industry best practices. We’ve learnt a lot from this incident, and as we work with the security experts, we ensure your payments are secure now and in future.
Despite this serious incident, we are glad that we could avoid any financial loss to our users and also prevent card data from being compromised.
We sincerely apologize for this and confidently take full responsibility, and we will work to earn your trust.
However, we are thankful for the support we received from our users during the tough time and are very grateful for their patience & understanding.
We started PayHere as an innovative payment service to empower local businesses with Online payment facilities, at a time when the country was far behind in that. Throughout the journey, we’ve faced many challenges, and this is another obstacle that appeared, and soon we’ll overcome that. As a silver lining from this incident, we took this opportunity to improve the security of our services to serve you better and the future local businesses with integrity in the first place.
We will listen to any concerns you might have and answer your questions. You can get in contact by reaching out to us at email@example.com.
Update on 2022-05-02:
On 2nd May 2022, a website ‘haveibeenpwned.com’ has listed the data that has been exposed by the attacker as a result of compromising our database during the attack. The exposed data includes names, emails, addresses, phone numbers, purchase histories, IP addresses & obfuscated card data (card type, first 6 and last 4 digits, expiry date) as per that website.
We would like to still emphasise that NO full card numbers have been compromised or exposed as we do not store full card numbers on our database. We store only the masked card numbers returned by our partner banks after processing card payments that includes only first 6 digits (BIN number) & last 4 digits, and does not include the rest 6 digits in the middle. Since the full card number is needed to perform a card transaction anywhere, please note that this leaked obfuscated card data cannot be used to perform any financial transaction. Therefore, we confirm that there’s no financial risk due to this obfuscated card data being exposed & it’s not needed to take actions to change cards.
Update on 2022-05-03:
On 3rd May 2022, we made a public apology to everyone who was affected due to this incident & informed them the way forward & the steps need to be taken after a data compromise. It was published on our blog, sent as an email newsletter to all our merchants & requested the merchants to inform it to their customers.