Indian banks hit by massive ATM breach

India's top banks are asking customers to change PIN codes and recalling millions of debit cards following reports of a malware-based security breach at a number of unspecified ATMs across the country.

  25 2 comments

Indian banks hit by massive ATM breach

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

State Bank of India, HDFC Bank, ICICI Bank, Yes Bank and Axis Bank have all issued advisories concerning the breach, which may impact up to 3.2 million debit cards. Earlier this week, State Bank of India blocked and recalled over 600,000 cards, while other banks have instructed some customers to alter their PINs and avoid using ATMs that are not on their network.

In a statement, SBI says: "Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks."

Shiv Kumar Bhasin, SBI's chief technology officer (CTO), told the Times of India newspaper: "A few ATMs have been affected by a malware. When people use their card on infected switches or ATMs, there is a high probability that their data will be compromised."

A P Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel that cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country. Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay.

Hota speculates that the infection spread from a compromised gateway switch. Banking industry sources contacted by Reuters pointed the finger at Hitachi Payment Services, which manages ATM network processing for Yes Bank.

Kspersky Lab, which last month informed Axis Bank of a breach of its servers by an offshore hacker, says ATMs are terrifyingly easy to hack. "Looting an ATM is a trivial task, and banks are losing big," says the firm.

Update National Payments Corporation of India says that the PCI Council governing international security standards for card-based transactions is conducting a forensic audit of the payments switch of one bank "which is likely to be the source of the compromise". Cases of illegal withdrawals have so far been limited to 641 customers of 19 banks, and the total amount involved was 13 million rupees ($194,600), according to the statement.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (2)

A Finextra member 

India's regulator has come up with a cyber security framework in June 2016. Today US regulators proposed 'Enhanced Cyber Risk Management Standards' to mitigate cyber risk. US standards propose a comprehensive cyber risk management program encompassing (1) Cyber risk governance (2) Cyber risk management (3) Internal dependency management (4) External dependency management (5) Incident response, cyber resilience and situational awareness.

This concerted action by regulators augurs well to address cyber risk. In view of the frequent cyber incidents, Banks have to fast track adoption of the proposed cyber security frameworks. This would help Banks to prevent or reduce data loss occurrences.

Ketharaman Swaminathan

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Before the cybersecuristas run wild with doomsday scenarios, there are 697M debit cards in India, so the 3.2M debit cards affected by this breach works out to 0.46%. Hardly a massive breach...

[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at ScaleFinextra Promoted[On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at Scale