Neville Lahiru
A recent alert from the cyber security company F-Secure has implicated PayHere in a possible data breach for the second time. Although the alert is dated July 2023 by F-Secure, PayHere clarifies that the data breach isn’t a new one. According to the company, the notice pertains to its 2022 cyber security incident and the data is from the same data dump during that time.
Back in later March 2022, Bhasha’s PayHere payment gateway platform was hacked, compromising around 65GB worth of data. As per Have I Been Pwnd, this left over 1.5 million payment records exposed. This included IP and physical addresses, names, phone numbers, purchase histories, and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date). Months following the incident, PayHere stated that “there has been no compromise of full card numbers or CVV numbers,” according to a Sri Lanka CERT report. During the same period, the company also partnered up with the BugZero bug bounty program to mitigate its security vulnerabilities.
With regard to the hacker, PayHere claims that the CCID is yet to take any legal action even after the company’s complaint last year. Either way, it’s worth noting that despite the preventive measures being taken since the incident, the 1.5 million data dump continues to float around the deep web. Hence the resurfaced alarms on the matter.
Now, as F-Secure’s notice on PayHere makes the rounds, the company reaffirmed that no new data breach has taken place since the 2022 incident. “We would like to emphasize that there has been no new compromise of our systems since the remedial actions were taken post the 2022 breach and we have been in constant coordination with cybersecurity experts to ensure our platform’s security,” claims PayHere.
The bigger picture
So far, the PayHere incident marks one of the biggest data breaches in Sri Lanka over the past few years. While company data breaches aren’t anything new, the magnitude of PayHere’s hack shines a bigger spotlight on the urgent need for personal data protection, particularly at a national level. To this end, the government is seemingly moving ahead to build regulatory processes around the area.
Back in August 2022, the Cabinet of Ministers approved the implementation of SL CERT’s “Information and Cybersecurity Policy” which is set to be implemented in all public authorities under the Right to Information Act No. 12 of 2016. By June, the State Minister of Technology Kanaka Herath stated that the upcoming personal data-focused Cybersecurity Act is to be presented to the parliament this year.
More recently, the president and current Minister of Technology issued a gazette activating provisions under Part V of the Data Protection Act. This means that the Data Protection Authority, the body that will be effectively responsible for the enactment of the Data Protection Act, is now in operation. Either way, it will be interesting to see how the exact mechanics will play out, especially considering that the Sri Lanka government’s own security track record isn’t encouraging.
[Update 31/07/2023]: Added updated comment from PayHere regarding the hacker responsible for the attack and context to how the breached data resurfaced online
GIPHY App Key not set. Please check settings