Data breach probe widens, police say 6.5 million debit cards could be affected

Multiple agencies, including Mumbai Police’s cyber crime cell, finance ministry and govt’s CERT-In participate in the debit card data breach investigation


The finance ministry has sought a detailed report from banks and RBI on all aspects of the debit card fraud. Photo: Hemant Mishra/Mint
The finance ministry has sought a detailed report from banks and RBI on all aspects of the debit card fraud. Photo: Hemant Mishra/Mint

Mumbai: Multiple government organizations, including the cyber cell of the Mumbai Police’s crime branch, the ministry of finance and the government’s cybersecurity arm Computer Emergency Response Team-India (CERT-In), are aggressively looking into the largest reported data breach India’s banking system has experienced so far.

The extent of the breach is not yet fully known though one agency put the number of compromised cards as high as 6.5 million.

After reports of a data breach in 3.2 million debit cards surfaced, the cyber cell of Mumbai Police’s crime branch on Friday stepped into the investigation, taking cognizance of the issue on its own. The cell has sought information and data from the National Payments Council of India (NPCI) and the Reserve Bank of India in this connection, said a senior official.

“No complaint has come to us for a formal investigation; but initial examination suggests 6.5 million cards have been compromised,” said Brijesh Singh, Special IG-Cyber, Maharashtra Police.

“We have also sought a full report from NPCI,” Singh added. He didn’t reveal the source of the 6.5 million figure.

However, at the bank level, there is no clarity on the kind of data that was stolen.

“It is still unclear what kind of customer data has been breached into; that is what the investigation has to confirm. According to what we know, only card details, PIN and customer phone numbers can be stolen from an ATM; but we don’t know if any other bank data has been compromised. From initial reports, the damage seems small, but we will be able to better assess it after the (SISA Information Security ) report comes out in November,” said a banker aware of these developments.

Mint reported on Friday that NPCI, Visa, Mastercard, the banks involved and Hitachi Payment Services had called for a forensic probe by SISA Information Security Pvt. Ltd last month.

Separately, the ministry of finance has sought a detailed report from banks and RBI on all aspects of the debit card fraud, even as it received a preliminary report, said Shaktikanta Das, secretary, department of economic affairs.

“The government is seized of the matter. We have sought a report from RBI and banks. After receiving the reports, necessary action will be taken by the government,” Das said, adding that the reports will contain all aspects of the fraud.

Das said the integrity of banks’ information technology systems is very robust and the government will take “whatever action is required”, adding that there is no need for alarm.

“We have sought a report on the debit card fraud. The idea is to be able to contain the damage post findings of the report,” said finance minister Arun Jaitley.

After media reports of the debit card data breach, CERT-In sent a report to the government listing the steps it has taken so far, said an official in the ministry of electronics and information technology.

The cybersecurity agency has written to State Bank of India, Axis Bank and HDFC Bank asking for information about the incident, said the report viewed by Mint.

ALSO READ | Debit card data breach seen hindering Narendra Modi’s quest to go cashless

On 19 October, CERT-In had, along with the National Critical Information Infrastructure Protection Centre, sent a mail to the chief information security officers of banks about a rise in the instances of fraud being carried out through bank ATMs by using malware, the cybersecurity agency’s report said.

CERT-In in July sent out an alert on planned cyber attacks on banks’ information infrastructure. Subsequently, it had alerted banks on 12 August and 24 August about “backdoor Trojans which steal credentials of users and... advanced targeted attacks, along with the indicators of compromise for the banks to take action”, the report said.

ALSO READ | Debit card compromised: Should you be worried?

On 7 October, CERT-In issued another alert about expected cybersecurity attacks on bank infrastructure by Pakistani hackers, the report said.

Jayshree P. Upadhyay, Remya Nair and Vishwanath Nair of Mint contributed to this story.

More From Livemint