Security breach feared in
up to 3.25 million Indian debit cards
Send a link to a friend
[October 20, 2016]
By Devidutta Tripathy
MUMBAI
(Reuters) - A slew of banks in India will replace or ask customers to
change security codes of as many as 3.25 million debit cards due to
fears that the card data may have been stolen in one of the country's
largest-ever cyber security incidents.
Card network providers Visa Inc, MasterCard Inc , and home-grown RuPay
have alerted banks to the possible compromise, A.P. Hota, chief
executive of National Payments Corp of India (NPCI) that runs RuPay,
told the CNBC TV18 television channel.
The cards were possibly compromised by suspected security breaches
involving as many as 90 ATMs throughout the country, said Hota, adding
that the issue was still being investigated.
Of the debit cards affected, 2.65 million are on Visa and MasterCard
platforms, while 600,000 are on RuPay, said Hota, adding he believed the
issue had been contained.
"Adequate precautions have been taken, information security officers of
all the banks and the information security officers of all three
networks are in close touch with each other," said Hota. "There is no
reason for any panic, or any kind of worry."
Visa and Mastercard said their own networks had not been compromised,
but they were aware of the issue and were working with banks, regulators
and others to support investigations.
While the potential breach impacts a large number of debit card holders,
the number of cards affected account for just 0.5 percent of the nearly
700 million debit cards issued by banks in India.
Although breaches such as this have occurred in India in the past, Hota
said prior breaches have been typically localized to five or 10 ATMs. He
added the latest breach may have been caused by a compromised "switch" -
part of the back-end networks aiding ATM operations - of one particular
local bank.
It was not clear whether the security breach involved card numbers and
personal identification numbers only or other data.
Banking industry sources with direct knowledge of the matter said the
issue stemmed from a feared breach in systems of Hitachi Ltd <6501.T>
subsidiary Hitachi Payment Services, which manages ATM network
processing for Yes Bank Ltd.
The sources were not authorized to speak with media on the matter and so
declined to be identified.
[to top of second column] |
A private security guard moves past a signboard of an ICICI
automated teller machine (ATM) in New Delhi, India, October 20,
2016. REUTERS/Adnan Abidi
Yes Bank said in a statement on Thursday it had proactively undertaken a
review of its ATMs and found no evidence of any breach. The bank said it
continued to work with other banks and the NPCI to ensure safety and
security of its ATM network and payment services.
A Hitachi spokeswoman said it was investigating the matter, including
whether there was a malware problem, adding it had no further comment at
this time.
The Economic Times newspaper earlier on Thursday reported that the
worst-hit of the card-issuing banks were Yes Bank, State Bank of India,
HDFC Bank Ltd, ICICI Bank Ltd and Axis Bank Ltd .
State Bank of India said it had blocked cards of certain customers after
being informed by card network providers about a breach outside its
network, and was replacing those cards as a proactive measure.
Standard Chartered PLC's Indian unit has also begun to re-issue
debit cards for some customers, according to messages sent to clients.
HDFC, ICICI, Axis and Standard Chartered did not respond to Reuters
requests for comment.
(Reporting by Devidutta Tripathy; Additional reporting by Suvashree Dey
Choudhury and Katsuro Kitamatsu; Editing by Euan Rocha and Christopher
Cushing)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
|