Banks, payments platforms and even the ATM manager involved in the largest data breach India’s banking system has experienced yet said on Thursday that their systems had not been compromised.
And it took three months for India’s banking system to become aware of a large-scale data breach, according to half-a-dozen people that Mint spoke to.
Card data of 3.2 million customers was stolen between 25 May and 10 July from a network of Yes Bank Ltd ATMs managed by Hitachi Payment Services Pvt. Ltd, but it was only in September that banks and payments services providers became aware of the extent of the breach.
“The finance ministry is in talks with all important stakeholders including banks and has sought a report on the impact of this breach. We are also looking at measures to increase security in card transactions..," said a finance ministry official who did not want to be identified.
National Payments Corporation of India (NPCI), Visa, Mastercard, Payments Council of India, the banks involved and Hitachi Payment Services called for a forensic probe by SISA Information Security Pvt. Ltd last month.
“The final report will only come in November, after which there will be some clarity," said one of the six people on condition of anonymity.
Mint learns that 90 Yes Bank ATMs and point of sale (PoS) terminals were targeted by malware, resulting in data of customers of banks including State Bank of India (SBI), ICICI Bank Ltd, HDFC Bank Ltd and Yes Bank being stolen by hackers.
According to a second person who asked not to be identified, the breach happened in a network of Yes Bank ATMs managed by Hitachi Payment Services.
The victims appear to have been people who used this ATM network.
Yes Bank said in a statement that there had been no security breach in its own systems. However, Rana Kapoor, managing director and CEO of the bank, admitted that there was a risk involved with third-party service providers who manage ATMs.
Hitachi Payment Services’ managing director Loney Antony said an interim report from the company investigating the issue “does not suggest any breach/compromise in our systems".
After becoming aware of the seriousness of the breach, SBI decided to reissue 625,000 cards, the bank said in a statement.
India’s largest lender said the breach did not take place through any lapses in its systems, and a senior SBI official who spoke on condition of anonymity said the bank did not suffer any major monetary loss.
ICICI Bank and HDFC Bank asked some customers to change the personal identification number on their cards. HDFC Bank asked customers to restrict their usage of other bank ATMs.
Of the 3.2 million cards involved in the data breach, over 2.6 million belonged to Mastercard and Visa networks, and the remaining were from the RuPay network, according to A.P. Hota, managing director and chief executive, NPCI. “The complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers. The total amount involved is Rs1.3 crore..," he added in a statement.
According to experts, data breaches are often taken lightly in India. “Names and date of birth of customers is a major data breach and can be misused widely," said Tarun Bhatia, managing director, investigations and disputes, Kroll Associates (India) Pvt. Ltd.