MUMBAI: Banks in India will either replace or ask users to change the security codes of as many as 3.2 million debit cards in what's emerging as one of the biggest ever breaches of financial data in India, people aware of the matter said. Several victims have reported unauthorised usage from locations in China.
Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 600,000 on the RuPay platform. The worst-hit of the card-issuing banks are State Bank of India, HDFC BankBSE -0.07 %, ICICI BankBSE 5.09 %, YES Bank and Axis Bank, the people said.
The breach is said to have originated in malware introduced in systems of Hitachi Payment Services, enabling fraudsters to steal information allowing them to steal funds. Hitachi, which provides ATM, point of sale (PoS) and other services, couldn't be reached for comment late Wednesday.
A forensic audit has now been ordered by Payments Council of India on Indian bank servers and systems to detect the origin of frauds that might have hit customer accounts. NPCI Managing Director AP Hota said: "We have received complaints from banks about debit cards being used in China which aroused suspicion."
"Though most of the suspected fraudulent transactions happened in the Visa and MasterCard network, we thought a whole a forensic audit of the entire network will help us find out where the compromise happened," he said.
HDFC Bank said it had already taken action in the matter a few weeks back. "Besides advising those customers who we know have used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN, we are advising our customers to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs," a spokesperson said. "We take this opportunity to reiterate that it's always prudent to change ATM PINs from time to time. It prevents misuse."
The Times of India had reported on Wednesday that SBI would reissue 600,000 debit cards following a malware-related security breach. SBI has asked customers to change their PIN numbers as well.
"Based on the complaints we have received, we are suspecting a compromise on the non-SBI ATM network which could include various white-label ATM service providers," SBI Chief Information Officer Mrutyunjay Mahapatra told ET.
"Therefore, as a precautionary measure, we have blocked six lakh debit cards. We have assured our customers that there has not been any breach on the ATM network of SBI."
Visa, MasterCard, ICICI Bank, Axis Bank and YES Bank did not respond to queries sent late on Wednesday.
Banks had been receiving multiple complaints from customers about cards being used in China at various ATMs and point of sale terminals. They in turn alerted Visa and MasterCard. A forensic audit is being conducted by Bengaluru-based payment security specialist SISA.
Some sources said the malware infection took about six weeks to detect, compromising transactions that took place during this period. As many as 3.2 million cards were used on the Hitachi network during this time.
Image Source Indiatimes.com