Over 6.5 million debit cards affected by data breach, say police

22 Oct 2016

Police and other government agencies investigating the debit card fraud now claim the number of debit cards compromised in the data breach could be as high as 6.5 million, as the probe widened, reports published today stated.

The probe agencies' report comes after the government's Computer Emergency Response Team (CERT) directed banks to be on high alert for possible cyber attacks emanating from foreign locations.

While the actual number of debit cards affected by the ATM fraud is still not known, agencies say the number could be as high as 6.5 million.

Police and various government agencies, including the cyber cell of Mumbai Police's crime branch, the ministry of finance and the government's cyber security arm Computer Emergency Response Team-India (CERT-In), are investigating the data breach.

Banks, including the State Bank of India (SBI) have either blocked or recalled over 3.2 million debit cards in a move to safeguard their customers from any financial fraud in the wake of the unprecedented ATM security breach.

SBI is said to have re-called around 6 lakh cards, while others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have also replaced debit cards of several customers as a pre-emptive measure.

Private sector banks, including ICICI Bank, HDFC Bank and Yes Bank, have also asked customers to change their ATM PINs. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.

Banks said while in some cases the cards have been replaces in several other cases customers have been asked to mandatorily change the PIN and other security numbers to resume using the blocked cards.

Most banks blame a payment service provider that manages the ATM network of a private sector bank for the security breach while some reports say certain cards affected by security breach, having been used fraudulently abroad, including in China.

The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves ATM network of Yes Bank.

Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.

Yes Bank sought to distance itself from the breach and stressed on need to police service providers in a better way.

"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," Yes Bank chief Rana Kapoor told reporters.

Hitachi Payment Services, however, maintained its system was not compromised, citing interim report by an external audit agency appointed by it.

According to bankers, the breach took place in such a way that anyone using the said bank's ATMs in the region might stand to get affected.

Finance ministry has, meanwhile, sought details from banks and the Indian Banks association as also their views on the additional steps needed to avert such incidents.

G C Murmu, additional secretary in the Department of Financial Services, said  only about 0.5 per cent debit card details were compromised and that the remaining 99.5 per cent of cards are completely safe and bank customers need not panic.

Meanwhile, SBI said, "Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by networks."

Also, it was noted that the data breach at SBI took place between May and July, but was discovered only in September. SBI, however, maintains that  its systems have not been compromised and its existing cardholders are not at any risk.

SBI has issued nearly 200 million debit cards.

CERT has been sending advisories to banks and financial institutions about possible breaches in their firewalls. CERT-In had sent warning to banks months before the attack - in July and August - and two weeks ago," even as a malware infection was spreading through their networks.

CERT had, on 1 July, advised banks and the other financial institutions about cyber attacks planned on their information infrastructure along with the measures to be taken.

And, on 12 and 24 August, CERT-In sent alerts to banks regarding backdoor Trojans that steal credentials, alerting them to advanced targeted cyber attacks along with how to look for signs of possible security breaches.

The latest of these attacks are suspected to be 'targeted attacks from Pakistan', in the wake of India's counterstrike across the border following terrorist attacks in Jammu and Kashmir.

The cyber strikes followed the across-the-border strike by Indian forces at Pakistan's terrorist camps - some reports put these at 7,000 - by Pakistani hackers.