Your browser is currently blocking notification.
Please follow this instruction to subscribe:
X
Notifications are already enabled.
X

Hacker Steals INR 7.3 Cr From Razorpay By Tampering Authorisation Process

Hacker Steals INR 7.3 Cr From Razorpay By Tampering Authorisation Process

Razorpay’s head of legal disputes and law enforcement, Abhishek Abhinav Anand filed a complaint on May 16 and provided the details of the 831 failed transactions

The company claims to have already recovered part of the amount and is working with the relevant authorities for the rest of the process

The event occurred on certain merchant sites that were using an older version of the Razorpay integration, but no merchant funds were affected by this incident

Bengaluru-based fintech giant Razorpay has filed a complaint with the South East cybercrime police against theft of INR 7.3 Cr. The cybercrime police is trying to track down the hacker who stole INR 7.3 Cr over a period of three months.

The company claims that while auditing the transactions of the platform, the officials at Razorpay found that they were unable to reconcile the receipts of INR 7,38,36,192 against 831 transactions.

Razorpay’s head of legal disputes and law enforcement, Abhishek Abhinav Anand filed a complaint on May 16 and provided the details of the 831 failed transactions – including the date, time and IP address, among other relevant information to the police.

The theft is a result of someone tampering with the company’s authorisation and authentication process. The hacker(s) had created false approvals that were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to INR 7.38 Cr.

According to a Razorpay spokesperson, “During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorisation data on a few merchant sites which were using an older version of Razorpay’s integration, due to gaps in their payment verification process. No end-consumer and no merchant data or merchant funds were affected by this incident.”

The company claims to have taken steps to mitigate the issue permanently and eliminate future occurrences. It also claims to have already recovered part of the amount and is working with the relevant authorities for the rest of the process.

The eight-year-old fintech unicorn claims to enable digital payments for 200K+ businesses including Airtel, IRCTC, NSE, Swiggy, etc. With large scale enterprises trusting the network and its payment authorisation technique, the possibility of ‘false’ authorisation puts a dent in the company’s security system.

India’s Rising Cyber Crime & Govt’s Way Of Tackling It

Over the past couple of years, Indian corporates similar to Razorpay have seen an increasing number of cyberattacks targeting their key infrastructure. For instance, in 2022 alone, hackers stole the personal data of 4.5 Mn Air India passengers, Indian petroleum refineries network faced over 90K cybercrime incidents, and multiple fake ‘gift card’ WhatsApp messages.

In the first two months of 2022, 2.2 Lakh cybercrime incidents were reported, outlining the need for a robust cybersecurity regulatory body. In fact, celebrities Rajkumar Rao and Sunny Leone were also subjected to PAN Card fraud when their details were used to take small defaulted loans, affecting their CIBIL Scores.

Fintech startups, though, have been at the centre of hackers’ attention. Besides Razorpay, MobiKwik and Juspay were also involved in data leak/breach incidents impacting over 21 Cr users.

Thus, last month, India’s cybersecurity agency Indian Computer Emergency Response (CERT-In) issued new directions to overlook response activities and emergency measures in case of cybercrime incidents.

Under the new guidelines, the Centre has made it compulsory for all companies to report all cybercrimes within six hours of noticing such incidents and keep the security log for 180 days within India.