A major cyber-attack at the back-end system of a bank has suspected to compromised at least 32 lakh debit cards used in ATM that are suspected to have exposed card and PIN details to malware at the back end. The worst hit banks by the breach are HDFC Bank, SBI and its subsidaries, Yes Bank, ICICI Bank and Axis Bank.
According to a report in Times of India, the problem relates to the feared breach in the systems of Hitachi Payment Services, which manages the ATM network processing for Yes Bank. The matter came to light around July. The private bank maintained that no compromise had been detected in its ATM network and that the measures were proactive.
“Yes Bank has undertaken a review of its ATMs, and there is no evidence of a breach or compromise. Yes Bank continues to work with relevant stakeholders, including other public sector and private banks, and NPCI (National Payments Corporation of India), to ensure utmost safety and security of its ATM network and payment services which are completely safe to use," it said.
Debit Cards of several banks affected
The data breach has not only compromised accounts of Yes Bank customers but also other leading banks like SBI, which has recalled 6.25 lakh cards as a precautionary measure, the reports said.
The steps taken by the bankers include asking customers to change the PINs of their ATM-cum-debit cards, which has now gone up one level to changing cards as well, if the customers do not comply.
The reason why a large number of banks are impacted is that Yes Bank, despite having a small number of ATMs, sees a large number of third-party transactions on its machines.
According to bankers, the breach effected in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.
As per briefing by SBI to agencies, compromise happened at payment switch from where data is being leaked. All cards that have similar digital chip series and design are being changed as precautionary measure.
After asking its customers who may be potentially hit, the largest lender State Bank of India has also started a process to block the cards of those who did not change the security code at its own cost, its spokesperson said on Wednesday.
“Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks,” SBI said in a statement this evening.
“We came to know about security breach and proactively recalled affected cards as we did not want our customers to be at any risk. There was no breach in our system. We are now issuing EMV-based debit cards which cannot be compromised,” SBI deputy managing director and chief operating officer Manju Agarwal told PTI.
She, however, declined to give the number of debit cards the bank has recalled. SBI has nearly 20 crore debit cards. There were media reports that said SBI had recalled 6.25 lakh debit cards due to malware-related security breach.
SBI further emphasised that its systems are absolutely fine and not compromised at and that existing cardholders are not at any risks.
“We are in the process of issuing new cards at no cost to those cardholders whose cards have been blocked. This is a cards industry incident and not an SBI only incident,” an SBI statement said.
However, all the bankers were quick to claim that the breach has not led to any monetary losses to anyone and all the measures being taken are to safeguard the system against any potential threat.
When contacted, an RBI official said the central bank is seized of the matter and is looking into the issue.
Bankers said the problem was first discovered between May and July, and banks have resorted to recall the affected debit cards from September. RBI has issued advisory that banks be more careful in future.
“Data processes of one private bank was compromised which affected other banks’ customers well. Customers who used that bank’s ATM stand to get potentially affected,” said another public sector banker.
(With Inputs from PTI)