The malware captured both the debit card number and PIN of customers who used their cards at the affected ATMs. Source: Shutterstock

Malware caused India’s biggest debit card data breach

THE largest data breach in India’s banking system, which affected nearly 3.2 million debit cards in 2016, was caused by a malware injection in its systems, said Hitachi Payment Services Pvt Ltd – the firm at the center of the security breach.

According to India Times, the company made the acknowledgement following the final assessment report from payments and information security audit firm, SISA Information Security.

“We confirm that our security systems had a breach during mid-2016,” its managing director Loney Anthony said, adding this happened despite following adequate security measures and adopting the standards of internationally-accepted best practices.

SEE ALSO: India: Twitter hackers criticize banking system as ‘deeply flawed’

The company added that they do not know how much data was compromised as it is “unascertainable due to secure deletion by the malware.”

“Hitachi Payment Services regrets the inconvenience caused to banks and its customers due to this lapse in its security infrastructure. We assure you of our highest commitment to building a robust infrastructure in our systems and preventing such cyber frauds in future,” Anthony said.

While the debit card data was compromised between May 21 and July 11 last year, it was not until September that the banking system became aware of this large-scale data breach that happened on Yes Bank’s ATM network, managed by Hitachi.

The breach was first detected after a few banks raised an alarm over the fraudulent use of their customers’ cards in China and the US, while these customers were still in India.

The National Payments Corporation of India (NPCI) had said over 600 customers had reported losses of at least US$195,000 (Rs1.3 crore) due to the breach.

According to the report prepared by SISA, the malware had been able to “work undetected and had concealed its tracks during the compromise period”.

SEE ALSO: India: Yes Bank to use biometrics, iris-scanning to enable transactions

SISA confirmed the malware captured both the debit card number and PIN of customers who used their cards at the affected ATMs. However, financial losses were contained because the card issuing banks blocked cards and advised some customers to change their debit card PIN.

Yes Bank’s Rana Kapoor has called for stricter vigil on outsourced service providers following the compromise. “There needs to be a lot more vigilance where there are outsourcing partners to make sure they don’t endanger the delivery and system risk, and there’s a fair amount of policing as far as outsourcing risks are concerned,” he said.

The SISA report comes a day after the Reserve Bank of India appointed an inter-disciplinary standing committee on cyber security.

This committee will review threats inherent in existing and emerging technology, study adoption of various security standards and protocols, interface with stakeholders and suggest appropriate policy interventions to strengthen cyber security and resilience.