Have you received an alert from your bank recently urging you to change your ATM PIN? Turns out a massive debit card hack has reportedly hit major Indian banks such as HDFC Bank, ICICI Bank, Yes Bank, Axis Bank and SBI, compromising as many as 3.2 million debit cards.
According to an Economic Times report, the hack may be among the biggest ever financial data breaches in India with several victims reporting unauthorised transactions that have reportedly originated in China.
SBI, HDFC Bank, ICICI Bank, YES Bank and Axis Bank were among the worst hit, according to the report. About 2.6 million affected cards are reportedly on the Visa and Mastercard platform, while 600,000 are on RuPay.
In an e-mailed statement to HuffPost India SBI said, "Card network companies NPCI, Mastercard and Visa had informed various banks in India about a potential risk to some cards in India owing to a data breach. Accordingly, SBI has taken precautionary measures and have blocked cards of certain customers identified by the networks."
The statement added that SBI' systems have not been compromised, but the bank is in the process of issuing new cards to card holders whose cards have been blocked.
"This is a cards industry incident (not only SBI)," the statement added.
Times of India reported earlier that SBI is reissuing 600,000 debit cards in addition to asking its customer to change their PINs.
A Yes Bank spokesperson told HuffPost India in a statement the bank has "undertaken a comprehensive review of its ATMs" and found no evidence of a breach or compromise on its ATMs.
An Axis Bank spokesman said, "the breach occurred in the case of customers who have used certain non Axis Bank ATMs. "Over the last few weeks, Axis Bank has proactively reached out to the affected customers and advised them to change their Debit Card PINs. The Axis Bank ATM network is fully secured and customers should ideally use Axis Bank ATMs to change their Debit Card PINs."
Payments Council of India has, meanwhile, begun a forensic audit to check into signs of financial fraud into customer accounts. NPCI Managing Director AP Hota told ET that NPCI had received complaints from banks about debit cards being used in China which had aroused suspicion"
HDFC Bank has also reportedly advised its customers to change its ATM pin and only use HDFC ATMs for transactions, as non-HDFC ATMs may not have the security controls at par with its own.
A Mastercard spokesperson said in an e-mailed statement, "We are aware of the data compromise event. To be clear, Mastercard's own systems have not been breached." The statement added it is currently working on the investigations with regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation.
Visa has said that while it doesn't currently process domestic debit ATM transactions in India, it is working closely with all networks and its financial institution partners to support with the investigations. It also urged Visa cardholders to report any suspicious activity and change PIN numbers as a precautionary measure.
The breach is said to have originated through a malware that was introduced in the systems of Hitachi Payment Services, a provider of ATMs and Point of Sale services. Hitachi couldn't be reached for comment.
Spokespeople for ICICI, Axis Bank, and HDFC, weren't immediately available for comment.
Note: This story has been updated to include additional comments from Mastercard, Visa and Axis Bank.