By Devidutta Tripathy
MUMBAI, Oct 20 A slew of banks in India are
replacing or asking their customers to change security codes of
as many as 3.25 million debit cards due to fears that the card
data may have been stolen in one of the country's largest-ever
cyber security incidents.
Card network providers Visa, MasterCard, and
home-grown RuPay run by the National Payments Corp of India
(NPCI) swung into action in September after receiving complaints
from some banks that their clients' cards had been fraudulently
used mainly in China and the United States even though they were
in India, said the chief of NPCI, which also runs the biggest
network of shared ATMs.
There was a possible compromise of one of the payment switch
provider's systems, NPCI Chief Executive A.P. Hota said in a
statement. A switch is part of the back-end network aiding ATM
operations.
Hota said the card network providers had alerted all
affected banks and the advice to banks to replace cards was a
"preventive exercise", adding: "Necessary corrective actions
already have been taken and hence there is no reason for bank
customers to panic."
Of the debit cards affected, about 2.65 million are on Visa
and MasterCard platforms, while 600,000 are on RuPay, Hota
earlier told CNBC TV18, adding the breach involved some 90 ATMs.
Visa and Mastercard said in separate statements their own
networks had not been compromised, but they were aware of the
issue and were working with banks, regulators and others to
support investigations.
While the potential breach impacts a large number of debit
card holders, the number of cards affected accounts for just 0.5
percent of the nearly 700 million debit cards issued by banks in
India.
While the NPCI did not name the payment switch provider
whose systems it found had been compromised, banking industry
sources with direct knowledge said the issue stemmed from a
breach in systems of Hitachi Ltd subsidiary Hitachi
Payment Services, which manages ATM network processing for Yes
Bank Ltd.
The sources were not authorised to speak with media on the
matter and so declined to be identified.
Yes Bank said in a statement on Thursday it had proactively
undertaken a review of its ATMs and found no evidence of any
breach. The bank said it continued to work with other banks and
the NPCI to ensure safety and security of its ATM network and
payment services.
A Hitachi spokeswoman said it was investigating the matter,
including whether there was a malware problem, adding it had no
further comment at this time.
State Bank of India, the nation's top lender, said
it had blocked cards of certain customers after being informed
by card network providers about a breach outside its network and
it was replacing those cards as a proactive measure.
The bank has found about 620,000 of its more than 200
million cards "vulnerable", Mrutyunjay Mahapatra, a deputy
managing director at SBI, told Reuters, but added he did not
expect any significant financial loss.
Complaints of fraudulent cash withdrawals affected a total
641 customers of 19 banks, and the money involved was 13 million
rupees ($194,612), according to NPCI.
ICICI Bank, HDFC Bank and Axis Bank
- the top three private sector lenders - confirmed in
separate statements some of their customers' card accounts had
been possibly breached after use at outside ATMs. The banks said
they had advised the clients to change their PINs.
Standard Chartered's Indian unit has also begun to
re-issue debit cards for some customers, according to messages
sent to clients. The bank said it replaced possibly affected
cards as a "precautionary measure" to ensure that customers'
financial security is not compromised, adding there was no
breach across its own network.
($1 = 66.7995 Indian rupees)
(Reporting by Devidutta Tripathy; Additional reporting by
Suvashree Dey Choudhury and Katsuro Kitamatsu; Editing by
Christopher Cushing and Elaine Hardcastle)