My thoughts on the PayHere data breach

Yesterday a tweet by Duminda, a fellow developer on Twitter, caught my eye. In that tweet he said that he has been warned by Have I Been Pwned about a data breach at PayHere, an online payment processor in Sri Lanka.

PayHere may well be one the largest and most significant data breach to occur in Sri Lanka, and it’s the only data breach from Sri Lanka to be included in Have I Been Pwned.

Since I may have submitted my personal and payment details though a merchant that uses PayHere as their payment processor, also since I too have tried to apply as a merchant on PayHere several years ago, I decided to search my email on Have I Been Pwned and there it was, my email is in the PayHere data breach.

But the thing is, I never received an email about a data breach from PayHere. They never asked me to change my password or never informed me abut the what the hackers managed to steal from about me from their database. Are my banking details at risk? Did they manage to get my credit card information?

Upon further searching, I came across this Tweet that showed

PayHere was indeed hacked and their website was defaced by the hackers who broke in to the website late March.

The account that initially posted this tweet, “MyWayReach” is now suspended. Even though the breach happened in March/April, apart from few social media posts, PayHere never informed their customers about the incident.

Users can easily miss social media posts about a breach. It is not a responsible way to handle a serious data breach, and informing your customers about an incident.

According to Have I Been Pwned, the breach contains 1.5+ million email addresses, personal information, partially obfuscated credit card data, etc.

It took nearly a month, for them to acknowledge the breach in a blog post. They are yet to inform their customers individually about the breach.

Data protection act loophole?

PayHere exploited a loophole in the Sri Lankan data protection act to get away from informing their customers about the data breach. The act binds companies to inform any potential data breach to the data protection authority. However, the act does not explicitly bind companies to inform a data breach to their customers.

However, there is a moral obligation for companies to inform about a data breach to their customers, and something that most global companies follow when handling a serious data breach as of this nature.

As AccessNow which has done a through research on the Data Protection Act suggests, companies should be given a deadline no less than 5 days to inform the public about a potential data breach to the data protection authority and to the public.

You can read about the Access Now analysis of the current data protection act in Sri Lanka – https://www.accessnow.org/cms/assets/uploads/2022/02/Policy_Brief_Sri_Lanka_Data_Protection_Bill_February_2022.pdf

PayHere’s data breach is a good lesson for tech companies on how to handle a potential data breach in a responsible manner. And we hopefuture amendments to the data protection act closing down these loopholes for better disclosure of data breaches.