A medium eye-level shot shows a man with a beard and dark shirt holding up an open silver MacBook Pro laptop, with its screen prominently displaying the text "YOU'VE BEEN HACKED!" in bright green, pixelated letters against a black background. Only the man's chest, arms, and lower face with his beard are visible, indicating he is looking directly at the viewer while holding the laptop. The background is dark, emphasizing the glowing screen.

My Two Cents on the PayHere Hack

In my blog post titled “The Worrying State of Cybersecurity in Sri Lanka,” published last year, I warned that cybercriminals are increasingly targeting high-profile digital assets owned by government institutions and major business entities. My concern was based on emerging trends and the lack of proactive defense mechanisms in place. A year and two months later, my concerns appear to have been validated. As of today, PayHere—a widely used Internet Payment Gateway Service Provider in Sri Lanka—has publicly confirmed they are under a cyberattack. Their official website remains unresponsive, and customers are left in the dark, awaiting further updates.

This incident serves as a wake-up call, exposing serious vulnerabilities in Sri Lanka’s digital infrastructure. PayHere has confirmed the attack, yet many important questions remain unanswered about how it happened and the full extent of the damage caused. This breach highlights significant risks faced by businesses and consumers who rely on online services for daily transactions and payments. In this post, I will share insights on possible causes, the impact on trust and security, and urgent steps needed to protect our digital ecosystem effectively. Strengthening cybersecurity measures is critical to safeguard our nation’s growing digital economy and prevent future attacks.

The Scale of the Hack

According to this notice on Twitter, the attackers broke in and defaced the website before transferring large volumes of data to their servers. The notice also says the stolen data includes the database dump and the source code which they are planning to release on Twitter later today. There’s no way to verify the credibility of these claims, unfortunately. According to this notice on PayHere’s official Facebook page, the attackers have compromised their SMS Gateway as well.

The notice suggests the attackers might have gotten away with PII or personally identifiable information (contact numbers, email addresses, etc.) of anyone who made payments through the PayHere IPG. That means if you have ordered products and services from an e-commerce website designed to receive payments through PayHere, chances are high your PII is already compromised. It is difficult however to accurately assess the scale of the hack based solely on the word of the attackers.

The Gravity of the Hack

According to the attackers, the payment gateway is not compliant with “PCI DSS” and PayHere has lied about its security. Companies like PayHere must comply with 12 requirements to receive the PCI DSS certification. I do not know which one of these requirements PayHere failed to follow. If they lied, however, from now on we have to think twice before providing our payment card details to businesses using the PayHere IPG to accept payments online.

Another concern is that leading financial institutes on the island such as Sampath Bank and Seylan Bank have forged partnerships with PayHere in the past. The extent to which these banks are linked with PayHere is not clear at the moment. Nevertheless, we cannot completely rule out the possibility of the networks owned by these banks getting compromised in the event PayHere gets hacked again. Such incidents have happened before. Consider how the retail giant Target was hacked, if you need an example.

Response from PayHere

PayHere in a lousy Tweet and a Facebook post announced they are under attack but the developers are active in resolving the issue. There was no formal announcement or press release, however. They reassured payment card details were not exposed but did not comment on the fate of the personally identifiable information. Did they inform the SLCERT? I have no idea! Frankly speaking, I feel PayHere management is not doing enough to warn their end-users or the customers of those end-users.

I am a frequent buyer at Jump Books an online bookshop that uses the PayHere IPG to accept card payments on its website. Hence it’s possible the attackers were able to compromise my own personally identifiable information and that of many others. Unfortunately, not even Jump Books alerted me to the incident. They should have but they did not. There is a notice on their checkout page saying “PayHere Online payment gateway is temporarily disabled due to a technical issue from our payment partner” and that’s it.

Wrap Up

Please exercise extreme caution if you have recently ordered products or services from e-commerce websites that use PayHere for payment processing. If attackers managed to access your personally identifiable information such as your contact number, email address, or other details, they could exploit this data to launch targeted phishing attacks against you. Be very wary of suspicious website links received via emails, text messages, or WhatsApp, even if these messages appear to come from trusted contacts or legitimate sources. Cybercriminals often impersonate known entities to trick victims, so always verify the authenticity of communications before clicking any links or sharing sensitive information.

I am genuinely curious about how PayHere’s leadership chose to issue a brief and casual notice on social media and then seemingly moved on, despite cybercriminals exploiting a serious vulnerability in their widely used payment platform. This incident highlights the urgent need for a strong, reliable, and enforceable data protection law in Sri Lanka. Although a data protection bill has been passed in parliament, I question whether it truly has the power and enforcement mechanisms to effectively hold local software vendors accountable. If the law were robust and comprehensive, PayHere management would likely face more serious consequences and greater responsibility for safeguarding user data and protecting consumers nationwide.

Updates:

Monday, April 4, 2022

A day after the incident PayHere announced on Twitter and Facebook that the IPG is partially back online. As of 5:06 pm on Monday, April 4, 2022, however, the PayHere website is offline once again. In the meantime, I would like to share a few thoughts about the announcement. In it, the PayHere Management said, they have “tightened” the security of their infrastructure while investigating the incident further with the help of a cybersecurity firm. All these measures towards improved security are good, but not good enough. Here’s why?

These measures are reactive measures. Not proactive measures. If the attackers have already walked away with Personally Identifiable Information, then tightening the security is like closing the stable door after the horse bolted. Further, the PayHere management should have sought the assistance of a cybersecurity firm before the incident and carried out “Penetration Tests” regularly. Hiring professionals to investigate the incident now is more like conducting a postmortem and it’s of no benefit to the other parties affected.

Monday, May 2, 2022

After one month has gone by since the breach, PayHere published a detailed blog post on Sunday, April 1st, 2022. You can read that post here. However, on Monday, May 2nd, 2022, contrary to #PayHere assuring its clients, credit card information was not leaked, HIBP (Have I been Pawned) reported otherwise.

A screenshot of a MacBook desktop shows a Microsoft Edge browser window open to the "Have I Been Pwned" website. A pop-up window in the foreground displays a dark blue box with white text, detailing a data breach suffered by the Sri Lankan payment gateway PayHere in March 2022. The text within the pop-up states that "PayHere suffered a data breach that exposed more than 65GB of payment records, including over 1.5M unique email addresses. The data also included IP and physical addresses, names, phone numbers, purchase histories, and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date). A month later, PayHere published a blog on the incident titled Ensuring integrity on PayHere Cybersecurity incident." A red rectangle highlights the sensitive data types that were exposed. The browser's address bar shows "https://haveibeenpwned.com," and the macOS menu bar is visible at the top. The "Have I Been Pwned" search interface for email or phone is visible below the pop-up.
“Have I been Pawned?” reported partially obfuscated payment card details were exposed.

It mentioned that partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date) have been exposed in the leak. I am glad the PayHere management reassured credit card details were not exposed but they might want to set the record straight here because Have I been Pawned is a service with global recognition and credibility.


If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.

guest

11 Comments
Inline Feedbacks
View all comments
Back To Top
59 Shares