The Government and the Reserve Bank of India swung into action as the country's biggest banks scrambled to reassure account holders that their money was safe after 3.2 million debit cards were found to be at risk from fraudsters who'd stolen vital data that could allow them to siphon off funds. Concerns are being raised as to why banks, which came to know of the problem six weeks ago, didn't alert the authorities or act with greater urgency.
RBI directed banks trying to plug India's biggest such data theft to submit a report on the magnitude of the security breach at their ATMs, pending a forensic report that's expected by the end of the month. The finance ministry has asked for a detailed report from RBI and National Payments Corporation of India (NPCI) about the debit card information breach.
NPCI is the nodal agency that connects the country's ATMs and runs the RuPay gateway .
While there's no estimate of how much money may have been stolen, banks were tipped off to the threat as much as six weeks ago when customer complaints first came in about unauthorised transactions overseas. Although the thefts may have been restricted to a few thousand cards, the security breach at a payment gateway believed to have been caused by a malware infection potentially exposed deposits amounting to hundreds of crores. Sources said banks that failed to act in time may face penalties. NPCI suggested however that the scale of the thefts that did occur was relatively minor.
The banks, NPCI, Visa and MasterCard all said their systems weren't breached.Some said information may have been compromised when customers used ATMs that didn't belong to the respective banks. RBI has had a “couple of conversations“ with YES Bank, which uses Hitachi Payment Services, where the breach is said to have originated from, people with knowledge of the matter said.YES Bank and Hitachi Payment Services however denied the malware infection took root in their systems.
Details of more than 3.2 million debit cards of State Bank of India, ICICI Bank, HDFC Bank, YES Bank, Axis Bank and others were compromised. NPCI and the banks admitted to the breach though the information the banks were willing to share was minimal.
The breach came to the notice of bankers in September when customers began calling service centres complaining about transactions in China, the US, Indonesia and Russia.