As Indian banks swung into damage control mode reassuring customers that their accounts were safe following reports of a massive debt card hack affecting 3.2 million cards, the Finance Ministry and RBI have asked the banks to immediately assess and inform about the scale of the damage.
According to media reports, the hack went undiscovered for three months and it wasn't until September that banks became aware of the magnitude of the breach. Data from cards from 3.2 million customers was stolen between 25 May and 10 July from a network of Yes Bank ATMs managed by Hitachi Payment Services, Mint reported citing sources.RBI has asked the banks to secure their systems and inform the central bank on the magnitude of theft. This in addition to a forensic report that is underway by the Payments Council of India.
Banks have so far been quick to reassure that their customers' accounts were safe even as they cautioned their customers to change their PIN numbers and report any suspicious activity. All the banks have admitted to a breach, but denied their own systems were compromised.
About 32 lakh debit cards of various public and private sector banks are feared to have been 'compromised' by cyber malware attack in some ATM systems, even as the government asked people not to panic.
Fraudulent withdrawals have been reported from 19 banks so far, while complaints have been received from few banks that their customers' cards were used fraudulently abroad, mainly in China and USA while customers were in India.
According to an ET report, RBI has already spoken to YES Bank, which uses Hitachi Payment Services. However, both Hitachi Payment and Yes Bank have denied their systems were infected by malware.
Yes Bank CEO Rana Kapoor has said, "As far as we are concerned, there are no such breaches or compromises... As an abundance of caution we have made sure and checked or double checked (our systems)...I am not an expert in ATMs... but there is a systemic issue. There will be some malwares on and off but there is heightened security. There are ATM models which are outsourced today and they require vigilance, quality and security controls."
In a statement, National Payments Corporation of India (NPCI) said the complaints of fraudulent withdrawals so far have come from 641 customers and the total amount involved is Rs 1.3 crore as reported by various affected banks.
Seeking to calm worried bank customers, the Department of Financial Services Additional Secretary G C Murmu told PTI, "Only about 0.5 per cent of total debit card details were compromised while remaining 99.5 cards are completely safe and bank customers should not panic."
There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed RuPay cards while the rest are Visa and Master Card enabled.
SBI, HDFC Bank, ICICI Bank, YES Bank and Axis Bank were among the worst hit, according to an ET report. About 2.6 million affected cards were reportedly on the Visa and Mastercard platform, while 600,000 are on RuPay.
With PTI inputs