Debit card fraud: In biggest ever cyber security breach in India, customers lose Rs 1.3 cr

Complaints across 19 banks, 641 customers

The National Payments Corporation of India (NPCI) estimated on Thursday Oct 20,2016 that Rs 1.3 crore had been lost by Indian customers in what is turning out to be the biggest ever cyber security breach in the country, putting as many as 3.25 million debit cards at risk. Data across cards are believed to have been stolen from the ATM of an Indian private sector bank that is serviced by Hitachi Payment Services. Of the debit cards affected, 2.65 million are on Visa and Mastercard platforms, while 600,000 are on RuPay.

The complaints of fraudulent withdrawals are spread across debit cards of 19 banks and 641 customers, NPCI said, even as a host of lenders rushed to either replacing cards or asking customers to change their ATM PIN codes. As part of damage control measures, banks are asking customers to use their debit cards only at an ATM of the host bank.

State Bank of India (SBI) customers are believed to have lost around R10 lakh in 18 transactions traced to China, sources told FE. According to a senior banker, the breach may have occurred between mid-May and the first week of July and suspicious transactions were reported on September 5 and October 14, when 15 transactions were noticed from China. The bank decided to block the cards suspecting a data breach and started monitoring them. “After the September withdrawals, the banks sent out advisories to their customers asking them to change their ATM security PIN. All the affected cards were magnetic strip cards and not chip-based,” he said.

In a statement on Wednesday Oct 19,2016, SBI had said that card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and blocked cards identified by the networks.

Axis Bank said in a statement on Thursday Oct 20,2016 that the breach had occurred in the case of customers who used certain non-Axis Bank ATMs. An ICICI Bank spokesperson said, “We assure our customers that the ATM network of ICICI Bank is equipped with the best-in-class security measures. We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank.”

A statement from Hitachi Payment Services said the company had appointed an external audit agency certified by PCI in the first week of September to check the security of its systems for any breach based on a few suspected transactions highlighted by banks for whom it managed the ATM network. “The interim report of the audit agency does not suggest any breach and the final report is expected by mid-November,” it said.

In May 2016, RBI instructed banks to move from magnetic strip cards to chip-based cards by September 2017 to prevent frauds like cloning and skimming. RBI data showed that at the end of July 56 banks had issued 697 million debit cards in India, of which more than 200 million cards belonged to SBI.