Indian banks hit by massive ATM breach – up to 3.25 million debit cards possibly compromised

India’s top banks are asking customers to change PIN codes and recalling millions of debit cards following reports of a malware-based security breach at a number of 90 ATMs across the country. State Bank of India, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank have all issued advisories concerning the  fears that the card data may have been stolen in one of the country’s largest-ever cyber security incidents., which may impact up to 3.25 million debit cards.

Card network providers Visa Inc, MasterCard Inc, and home-grown RuPay have alerted banks to the possible compromise, A.P. Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel.

The cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country, said Hota, adding that the issue was still being investigated.

Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay, said Hota, adding he believed the issue had been contained.

„Adequate precautions have been taken, information security officers of all the banks and the information security officers of all three networks are in close touch with each other,” said Hota. „There is no reason for any panic, or any kind of worry.”

Visa and Mastercard said their own networks had not been compromised, but they were aware of the issue and were working with banks, regulators and others to support investigations.

While the potential breach impacts a large number of debit card holders, the number of cards affected account for just 0.5 percent of the nearly 700 million debit cards issued by banks in India.

Although breaches such as this have occurred in India in the past, Hota said prior breaches have been typically localized to five or 10 ATMs. He added the latest breach may have been caused by a compromised „switch” – part of the back-end networks aiding ATM operations – of one particular local bank.

It was not clear whether the security breach involved card numbers and personal identification numbers only or other data.

Banking industry sources with direct knowledge of the matter said the issue stemmed from a feared breach in systems of Hitachi Ltd (6501.T) subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd (YESB.NS).

The sources were not authorized to speak with media on the matter and so declined to be identified.

Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.

A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding it had no further comment at this time.

The Economic Times newspaper earlier on Thursday reported that the worst-hit of the card-issuing banks were Yes Bank, State Bank of India (SBI.NS), HDFC Bank Ltd (HDBK.NS), ICICI Bank Ltd (ICBK.NS) and Axis Bank Ltd (AXBK.NS).

State Bank of India, the nation’s top lender, said it had blocked cards of certain customers after being informed by card network providers about a breach outside its network and it was replacing those cards as a proactive measure.

The bank has found about 620,000 of its more than 200 million cards „vulnerable”, Mrutyunjay Mahapatra, a deputy managing director at SBI, told Reuters, but added he did not expect any significant financial loss.

ICICI Bank, HDFC Bank  and Axis Bank – the top three private sector lenders – confirmed in separate statements some of their customers’ card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.

Standard Chartered’s Indian unit has also begun to re-issue debit cards for some customers, according to messages sent to clients.

Kspersky Lab, which last month informed Axis Bank of a breach of its servers by an offshore hacker, says ATMs are terrifyingly easy to hack. „Looting an ATM is a trivial task, and banks are losing big,” says the firm.

Source: Reuters