The National Payments Corporation of India (NPCI) estimated on Thursday that Rs 1.3 crore had been lost by Indian customers in what is turning out to be the biggest ever cyber security breach in the country, putting as many as 3.25 million debit cards at risk. Data across cards are believed to have been stolen from the ATM of an Indian private sector bank that is serviced by Hitachi Payment Services. Of the debit cards affected, 2.65 million are on Visa and Mastercard platforms, while 600,000 are on RuPay.
The complaints of fraudulent withdrawals are spread across debit cards of 19 banks and 641 customers, NPCI said, even as a host of lenders rushed to either replacing cards or asking customers to change their ATM PIN codes. As part of damage control measures, banks are asking customers to use their debit cards only at an ATM of the host bank.
State Bank of India (SBI) customers are believed to have lost around R10 lakh in 18 transactions traced to China, sources told FE. According to a senior banker, the breach may have occurred between mid-May and the first week of July and suspicious transactions were reported on September 5 and October 14, when 15 transactions were noticed from China. The bank decided to block the cards suspecting a data breach and started monitoring them. “After the September withdrawals, the banks sent out advisories to their customers asking them to change their ATM security PIN. All the affected cards were magnetic strip cards and not chip-based,” he said.
Reserve Bank of India (RBI) deputy governor SS Mundra in a recent speech highlighted several instances of fraudulent transactions at banks, one involving a bank’s shared mobile wallet. “Vulnerabilities were observed in the application itself, which led to exploitation by the attackers,” Mundra said. The originator of the transfer could get the amount reversed without corresponding debit in the recipient’s account in a large number of transactions and the total involved was Rs 12 crore, he said.
Speaking to a business news channel, NPCI MD and CEO AP Hota said that in September it had received a number of complaints from banks indicating that their customer’s cards were being used in China though the customers were in India.
He said that 150 customers had complained of compromise. The PCI Council — an international body which sets standards on for PCI-DSS or Payment Card Industry Data Security Standard — has decided to conduct a forensic audit of the breach.
In May, RBI instructed banks to move from magnetic strip cards to chip-based cards by September 2017 to prevent frauds like cloning and skimming. RBI data showed that at the end of July 56 banks had issued 697 million debit cards in India, of which more than 200 million cards belonged to SBI.
In a statement on Wednesday, SBI had said that card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and blocked cards identified by the networks.
Axis Bank said in a statement on Thursday that the breach had occurred in the case of customers who used certain non-Axis Bank ATMs. An ICICI Bank spokesperson said, “We assure our customers that the ATM network of ICICI Bank is equipped with the best-in-class security measures. We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank.”
A statement from Hitachi Payment Services said the company had appointed an external audit agency certified by PCI in the first week of September to check the security of its systems for any breach based on a few suspected transactions highlighted by banks for whom it managed the ATM network. “The interim report of the audit agency does not suggest any breach and the final report is expected by mid-November,” it said.