Banks, National Payments Corporation of India (NPCI) and the government got into damage control mode on Thursday to curtail the risks emerging from a possible data breach of 3.2 million debit cards.
NPCI issued a statement quantifying the damage: “The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected banks to NPCI.”
In what is being termed as one of the biggest ATM security breach in India, debit cards of bank account holders with State Bank of India, ICICI Bank, HDFC Bank, YES Bank, Punjab National Bank and some others have been compromised.
NPCI said the problem was identified when there were complaints from a few banks that their customers’ cards were being used fraudulently, mainly in China and the US, while the customers were in India. “Apprehending that this could be a case of card data compromise, all the ATMs/PoS terminals in India and three card networks — RuPay, Visa and MasterCard worked in a collaborative manner in September 2016,” said NPCI in a statement.
Earlier during the day, banks accepted that there was a data fraud and issued advisories. The government immediately stepped in and has asked NPCI to probe how the data breach took place and submit a report with suggestions on preventive measures, said a senior finance ministry official.
A P Hota, MD & CEO, NPCI said, “Necessary corrective actions have already been taken and hence there is no reason for bank customers to panic. Advisory issued by NPCI to banks for re-cardification is more as a preventive exercise.”
NPCI said it was working closely with all stakeholders and once the forensic investigation is over, it would issue a further set of recommendations as precautionary measures to member banks.
According to sources, the issue was also discussed at the Reserve Bank of India’s board meeting in Kanpur on Thursday.
As a result of this data breach, banks issued advisories to their customers to change their personal identification number (PIN) and to immediately report in case they suspect any fraudulent transactions. Lenders explained that even in this time of interoperability, where customers are allowed to use other banks’ ATMs, concerns arising from third-party players have increased.
Lenders such as SBI and ICICI Bank said the data breach did not take place at their ATMs. ICICI Bank said, “As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed.” SBI announced that it would re-issue 600,000 debit cards where it believes data could have been compromised.
“We have sent out an advisory to SBI to cancel the debit cards of those customers who have not changed their PIN despite being asked, and issue new debit cards to them free-of-cost. Besides, as far as other instructions are concerned, Indian Banks’ Association is giving out guidance,” said a senior official from the finance ministry’s Department of Financial Services.
Kolkata-based UCO Bank has also said it will replace some of the debit cards. However, the number of such cards would be less than one per cent of the total debit cards issued by the bank, said a spokesperson.
“One of the processors of Hitachi Payments’ central switch had been attacked and the malware deployed on its switch was active for six weeks. Data of all the transactions passed through the switch has been possibly compromised. This happened at YES Bank, White Label Operator ATM (WLA) and a Korean bank ATM,” said a person involved in the investigation. It is believed that cards used at around 90 ATMs have been affected.
YES Bank, however, said it has not seen any data breach so far. “YES Bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on YES Bank ATMs,” said a spokesperson.
Hitachi Payment Services on Thursday claimed that an external audit on its ATM networks that it manages for banks has not seen any breach of its systems. “We had appointed an external audit agency certified by PCI in the first week of September to check the security of our systems for any breach/ compromise based on a few suspected transactions that were highlighted by banks for whom we manage their ATM networks,” said Loney Antony, managing director, Hitachi Payment Services. “The interim report published by the audit agency in September does not suggest any breach/compromise in our systems. The final report is expected by mid-November. The banks and card schemes are updated with the progress of the audit,” Antony added.
SISA, a payments security specialist, is conducting a forensic audit of the data breach and is expected to submit details to NPCI by the first week of November. The company declined to comment on the issue, citing client confidentiality.
However, the banking regulator has not said anything about the issue so far. In the last few months, RBI has stepped up focus on customer awareness and cyber security. The central bank had come out with a draft circular on limiting liability of customers in unauthorised electronic banking transactions.
A K Viswanathan, partner, Deloitte Touche Tohmatsu India said, “This is a wake-up call and lays down an imperative for banks to rethink their cyber strategy and adopt stringent cyber security practices in every aspect of their operations.”