Security breach feared in 3.25m Indian debit cards

Reuters . Mumbai | Updated at 12:19am on October 22, 2016


A file photo shows a man using an ICICI automated teller machine (ATM) in New Delhi of India on March 5. — Reuters photo

A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country’s largest-ever cyber security incidents.
Card network providers Visa, MasterCard, and home-grown RuPay have alerted banks to the possible compromise, AP Hota, chief executive of National Payments Corp of India that runs RuPay, told the CNBC TV18 television channel.
The cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country, said Hota, adding that the issue was still being investigated.
Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 6,00,000 are on RuPay, said Hota, adding he believed the issue had been contained.
‘Adequate precautions have been taken, information security officers of all the banks and the information security officers of all three networks are in close touch with each other,’ said Hota. ‘There is no reason for any panic, or any kind of worry.’
Visa and Mastercard said in separate statements their own networks had not been compromised, but they were aware of the issue and were working with banks, regulators and others to support investigations.
While the potential breach impacts a large number of debit card holders, the number of cards affected accounts for just 0.5 per cent of the nearly 700 million debit cards issued by banks in India.
Although breaches such as this have occurred in India in the past, Hota said prior breaches have been typically localized to five or 10 ATMs. He added the latest breach may have been caused by a compromised ‘switch’ - part of the back-end networks aiding ATM operations - of one particular local bank.
It was not clear whether the security breach involved card numbers and personal identification numbers only or other data.
Banking industry sources with direct knowledge of the matter said the issue stemmed from a breach in systems of Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd.
The sources were not authorised to speak with media on the matter and so declined to be identified.
Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.
A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding it had no further comment at this time.
State Bank of India, the nation’s top lender, said it had blocked cards of certain customers after being informed by card network providers about a breach outside its network and it was replacing those cards as a proactive measure.
The bank has found about 6,20,000 of its more than 200 million cards ‘vulnerable’, Mrutyunjay Mahapatra, a deputy managing director at SBI, told Reuters, but added he did not expect any significant financial loss.