Govt orders probe into debit card data breach


Banks, National Payments Corporation of India (NPCI) and the government got into damage control mode on Thursday to curtail the risks emerging from a possible data breach of 3.2 million debit cards.

issued a statement quantifying the damage: “The complaints of fraudulent withdrawal are limited to cards of 19 and 641 customers. The total amount involved is Rs 1.3 crore as reported by various affected to NPCI.”

In what is being termed as one of the biggest ATM security breach in India, debit cards of bank account holders with State Bank of India, ICICI Bank, HDFC Bank, YES Bank, Punjab National Bank and some others have been compromised.

said the problem was identified when there were complaints from a few that their customers’ cards were being used fraudulently, mainly in and the US, while the customers were in India. “Apprehending that this could be a case of card data compromise, all the ATMs/PoS terminals in India and three card networks — RuPay, Visa and MasterCard worked in a collaborative manner in September 2016,” said in a statement.

Earlier during the day, accepted that there was a data fraud and issued advisories. The government immediately stepped in and has asked to probe how the data breach took place and submit a report with suggestions on preventive measures, said a senior ministry official.

A P Hota, MD & CEO, said, “Necessary corrective actions have already been taken and hence there is no reason for bank customers to panic. Advisory issued by to for re-cardification is more as a preventive exercise.”

said it was working closely with all stakeholders and once the forensic investigation is over, it would issue a further set of recommendations as precautionary measures to member banks.

According to sources, the issue was also discussed at the Reserve Bank of India’s board meeting in Kanpur on Thursday.

As a result of this data breach, issued advisories to their customers to change their personal identification number (PIN) and to immediately report in case they suspect any fraudulent transactions. Lenders explained that even in this time of interoperability, where customers are allowed to use other banks’ ATMs, concerns arising from third-party players have increased.

Lenders such as SBI and said the data breach did not take place at their ATMs. said, “As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed.” SBI announced that it would re-issue 600,000 debit cards where it believes data could have been compromised.

“We have sent out an advisory to SBI to cancel the debit cards of those customers who have not changed their PIN despite being asked, and issue new debit cards to them free-of-cost. Besides, as far as other instructions are concerned, Indian Banks’ Association is giving out guidance,” said a senior official from the ministry’s Department of Financial Services.

Kolkata-based UCO Bank has also said it will replace some of the debit cards. However, the number of such cards would be less than one per cent of the total debit cards issued by the bank, said a spokesperson.

“One of the processors of Hitachi Payments’ central switch had been attacked and the malware deployed on its switch was active for six weeks. Data of all the transactions passed through the switch has been possibly compromised. This happened at YES Bank, White Label Operator ATM (WLA) and a Korean bank ATM,” said a person involved in the investigation. It is believed that cards used at around 90 ATMs have been affected.

YES Bank, however, said it has not seen any data breach so far. “has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on ATMs,” said a spokesperson.

Hitachi Payment Services on Thursday claimed that an external audit on its ATM networks that it manages for has not seen any breach of its systems. “We had appointed an external audit agency certified by PCI in the first week of September to check the security of our systems for any breach/ compromise based on a few suspected transactions that were highlighted by for whom we manage their ATM networks,” said Loney Antony, managing director, Hitachi Payment Services. “The interim report published by the audit agency in September does not suggest any breach/compromise in our systems. The final report is expected by mid-November. The and card schemes are updated with the progress of the audit,” Antony added.

SISA, a payments security specialist, is conducting a forensic audit of the data breach and is expected to submit details to by the first week of November. The company declined to comment on the issue, citing client confidentiality.

However, the banking regulator has not said anything about the issue so far. In the last few months, has stepped up focus on customer awareness and cyber security. The central bank had come out with a draft circular on limiting liability of customers in unauthorised electronic banking transactions.

A K Viswanathan, partner, Deloitte Touche Tohmatsu India said, “This is a wake-up call and lays down an imperative for to rethink their cyber strategy and adopt stringent cyber security practices in every aspect of their operations.”