Mumbai/New Delhi: In biggest-ever security breach affecting the Indian banking sector, 32 lakh debit cards of various public and private sector banks are feared to have been 'compromised' by cyber malware attack in some ATM systems, even as the government asked people not to panic.
Several banks, including state-run State Bank of India (SBI), have recalled a large number of cards, while many others blocked the ones suspected to have been compromised and asked their customers to change PINs (personal identification number) before use.
Fraudulent withdrawals have been reported from 19 banks so far, while complaints have been received from a few banks that their customers' cards were used fraudulently abroad, mainly in China and USA while customers were in India.
"All affected banks have been alerted by card networks that a total card base of about 3.2 million could have been possibly compromised. Out of this 0.6 million are RuPay cards," said National Payments Corporation of India (NPCI), the umbrella body for all retail payments system in India.
In a statement, NPCI said the complaints of fraudulent withdrawals so far have come from 641 customers and the total amount involved is Rs 1.3 crore as reported by various affected banks.
Seeking to calm worried bank customers, the Department of Financial Services additional secretary G.C. Murmu told PTI, "Only about 0.5 percent of total debit card details were compromised while remaining 99.5 percent cards are completely safe and bank customers should not panic."
There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed RuPay cards while the rest are Visa and Master Card enabled.
Bankers said the recalled cards include those that have been replaced as a 'pre-emptive measure', while in many cases the customers have been asked to mandatorily change the PIN and other security numbers to resume using the blocked cards.
SBI is said to have re-called around 6 lakh cards, while others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have also replaced debit cards of several customers as a pre-emptive measure. Canara Bank has also asked its customers to change their PINs, failing which the cards would be blocked by Friday.
Among the private sector players, ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM PINs. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.
The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves ATM network of Yes Bank and also some white-label ATMs.
Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.
Yes Bank sought to distance itself from the breach and stressed on need to police service providers in a better way.
"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," Yes Bank chief Rana Kapoor told reporters.
Hitachi Payment Services, however, maintained its system was not compromised, citing interim report by an external audit agency appointed by it.
According to bankers, the breach took place in such a way that anyone using the said bank's ATMs in the region might stand to get affected.
Murmu said data of the users who have transacted from ATM machines of Hitachi have been compromised during May, June and July.
The Hitachi ATMs, he added, deployed by many White Label ATM players and Yes Bank were impacted by the malware while usage at other ATMs were completely secured.
NPCI said it is closely working with all stakeholders and once the forensic investigation is over and the root cause is identified, it will issue a further set of recommendations as precautionary measures to member banks.
A Yes Bank statement said the bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on the bank's ATMs.
"We would like to inform that the possible breach of information of debit cards has taken place in the ATM network of another bank. As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed. This has been done in order to protect our customers from any potential fraudulent transaction," ICICI Bank said.
HDFC Bank said its systems detected a potential compromise of debit cards arising from usage at a non-home ATM network a few weeks ago.
"We immediately notified customers who we knew had used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN. We take this opportunity to stress that all our customers use HDFC Bank ATMs only and also change ATM PINs from time to time to prevent misuse," the bank said in a statement.
SBI said in a statement that it blocked the cards of certain customers at potential risk from a data breach, as identified by card network companies NPCI, Mastercard and Visa. The bank said it is in the process of issuing new cards at no cost to the customers whose cards have been blocked.
The move has been undertaken to ensure that customer's confidential personal data is not compromised while swiping them for various transactions.
SBI's deputy managing director and chief operating officer Manju Agarwal said the data breach took place between May and July, but was discovered only in September and so the bank decided to proactively change the cards."
She, however, declined to give the number of debit cards the bank has recalled, but sources said it was around 6 lakh cards. SBI has issued nearly 20 crore debit cards.
An Axis Bank spokesperson said, "The bank has proactively reached out to the affected customers and advised them to change their Debit Card PINs. The Axis Bank ATM network is fully secured and customers should ideally use Axis Bank ATMs to change their Debit Card PINs."
One of the card network companies MasterCard said Thursday that its "own systems have not been breached".
"We are working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation," a MasterCard spokesperson said.
It has advised the consumers to review their account statements and activity, and if any unusual or fraudulent transactions are suspected, they should contact the concerned bank for more assistance.
(With agency inputs)
