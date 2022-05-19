The theft came to light when officials of Razorpay Software Private Limited were unable to reconcile receipt of ₹7,38,36,192 against 831 transactions. | Photo Credit: Getty Images

May 19, 2022 13:42 IST

The hacker stole ₹7.3 crore over three months by manipulating the authorisation process of the payment gateway company to authenticate 831 failed transactions

The South East cyber crime police are trying to track down a hacker who stole ₹7.3 crore over three months by manipulating the authorisation process of a payment gateway company to authenticate 831 failed transactions.

The theft came to light when officials of Razorpay Software Private Limited were auditing the transactions. They were unable to reconcile receipt of ₹7,38,36,192 against 831 transactions.

Razorpay Software Private Limited provides online payment services that allows businesses in India to collect payments through credit card, debit card, net banking, and wallets.

Abhishek Abhinav Anand, head of Legal Disputes and Law Enforcement at Razorpay Software Private Limited, filed a complaint with the South East cyber crime police on May 16.

The police are trying to track down the hacker based on online transactions. An internal probe carried out by Razorpay Software Private Limited found that some person, or persons, had tampered, altered and manipulated the ‘authorisation and authentication process’. As a result, false ‘approvals’ were sent to Razorpay against the 831 failed transactions, resulting in a loss amounting to ₹7,38,36,192.

Razorpay Software Private Limited provided details of the 831 failed transactions, including date, time and IP address, along with other relevant information to the police.

According to a statement issued by Razorpay, a spokesperson said "Razorpay's payment gateway is at par with the industry standards on data security. During a routine payment process, an unauthorized actor(s) with malicious intent used the browser to tamper with authorization data on a few merchant sites which were using an older version of Razorpay's integration, due to gaps in their payment verification process.

The company has conducted an audit of the platform to ensure no other systems, no merchant data and funds and neither their end-consumers were affected by this incident.

The company is ISO 27k, PCI-DSS and SOC 2 compliant, it applies end-to-end transaction data security features, combined with strong authentication and authorization protocols to protect businesses from potential threats.

Razorpay has proactively taken steps to mitigate the issue permanently and eliminate future occurrences. The company has already recovered part of the amount and is proactively working with the relevant authorities for the rest of the process."