Photo: Aniruddha Chowdhury/Mint
Photo: Aniruddha Chowdhury/Mint

Debit card data breach: RBI likely to tighten cyber security norms today

RBI to ask all lenders to report cyber security issues on a real-time basis at meeting on debit card data breach

The Reserve Bank of India (RBI) has called a meeting on Monday with all stakeholders involved in the largest data breach in India’s banking system, said two people with direct knowledge of the development.

The meeting will be chaired by a deputy governor of the central bank and will be attended by executives from banks and payment network service providers. 

The central bank will ask all lenders to report cyber security issues on a real-time basis, an RBI official, one of the two people cited above, said on condition of anonymity.

The regulator may also ask all banks to centralize their cyber security operations and put a proper team in place instead of outsourcing these functions, this person said. 

The matter gains urgency in view of the large-scale data breach. The RBI official said that banks took a month to bring this issue to its notice despite its latest notification on cyber security. 

“It is observed that banks are hesitant to share cyber-incidents faced by them. However, the experience gained globally indicates that collaboration among entities in sharing the cyber-incidents and the best practices would facilitate timely measures in containing cyber-risks. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank," read the central bank’s notification issued on 2 June.

Mint had reported on Friday that it took three months for India’s banking system to become aware of the large-scale data breach. Card data of 3.2 million customers was stolen between 25 May and 10 July from a network of Yes Bank Ltd ATMs managed by Hitachi Payment Services Pvt. Ltd, but it was only in September that banks and payments services providers became aware of the extent of the breach. On Thursday, Yes Bank and Hitachi released statements denying there was a breach in their respective systems. 

The regulator has a broad sense of the issue but it is also likely to separately investigate the matter, said the first person cited above. The regulator will conduct annual cyber audits of banks starting next year. 

A detailed forensic report is already being conducted by SISA Information Security Pvt. Ltd, a global payments security specialist firm. 

“We are working with various stakeholders. We will also work with various other agencies required for this investigation. The investigation is on track. The necessary results will be shared with the concerned stakeholders once we have completed the investigation," said Dharshan Shanthamurthy, chief executive of SISA. The report is expected in November. 

Multiple government organizations, including the cyber cell of the Mumbai Police’s crime branch, the ministry of finance and the government’s cybersecurity arm Computer Emergency Response Team-India (CERT-In), are now investigating the data breach.

“Banks are yet to report the matter to the cyber cell, despite it being mandatory. We have sought information from banks and NPCI about the crime," said Brijesh Singh, special IG, cyber, Maharashtra Police. NPCI, short for National Payments Corporation of India, is the umbrella organization for all retail payment systems in the country. 

Separately, the Press Trust of India reported that the finance ministry had asked various agencies, including RBI, to submit their reports in 10 days.

Close