Mumbai/New Delhi: Hit by an unprecedented ATM security breach, several public and private sector banks have recalled or blocked over 32 lakh debit cards to safeguard their customers from any financial fraud, while the government has sought from them details of all necessary safety measures.
Bankers said the recalled cards include those that have been replaced as a ‘pre-emptive measure’, while in many cases the customers have been asked to mandatorily change the PIN and other security numbers to resume using the blocked cards.
While there were some reports about certain cards, affected by security breach, having been used fraudulently abroad including in China, bankers appeared putting the blame on a payment services provider that manages ATM network of a private sector bank.
State-run SBI is said to have re-called around 6 lakh cards, while others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have also replaced debit cards of several customers as a pre-emptive measure.
Among the private sector players, ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM PINs. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.
The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves ATM network of Yes Bank.
Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.
Yes Bank sought to distance itself from the breach and stressed on need to police service providers in a better way.
“There needs to be a lot more vigilance where there are outsourcing partners to make sure they don’t endanger the delivery and system risk, and there’s a fair amount of policing as far as outsourcing risks are concerned,” Yes Bank chief Rana Kapoor told reporters.
Hitachi Payment Services, however, maintained its system was not compromised, citing interim report by an external audit agency appointed by it.
According to bankers, the breach took place in such a way that anyone using the said bank’s ATMs in the region might stand to get affected.
Concerned over the issue, the Finance Ministry has sought details from banks as also the additional steps that need to be taken to avert such incidents.
According to the Ministry sources, the Department of Financial Services has sought information about implication of such data compromise from Indian Banks Association.
Seeking to calm worried card users, the Finance Ministry also said that debit cards are completely safe and there should be no room for panic.
“Only about 0.5 per cent debit card details were compromised while remaining 99.5 cards are completely safe and bank customers should not panic,” Department of Financial Services Additional Secretary G C Murmu told PTI.
Meanwhile, a Finance Ministry source said, “We have got information from SBI that PIN (Personal Identification Number) related with few debit cards has been compromised and the bank is in the process of replacing it with new card in secured manner.”
The bank has taken measures to ensure safety of data, the source added.
In a statement, SBI said, “Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach.
Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by networks.”
SBI’s Deputy Managing Director and Chief Operating Officer Manju Agarwal said the data breach took place between May and July, but was discovered only in September and so the bank decided to proactively change the cards.
“As soon as we came to know financial data being stolen, we asked our customers to change the ATM pin numbers. Despite instructions only 7 per cent of the customers changed their pin numbers. At that point we decided to recall cards as we did not want our to customers to be at any risk,” she said.
She, however, declined to give the number of debit cards the bank has recalled, but sources said it was around six lakh cards. SBI has issued nearly 20 crore debit cards.
An Axis Bank spokesperson said, “The bank has proactively reached out to the affected customers and advised them to change their Debit Card PINs. The Axis Bank ATM network is fully secured and customers should ideally use Axis Bank ATMs to change their Debit Card PINs.”
SBI said its systems have not been compromised and its existing cardholders are not at any risk.
The bank is in the process of issuing new cards at no cost to those whose cards have been blocked, and it is an industry incident and not an SBI only incident, it added. Another state-run bank’s chairman and managing director said, “As soon as we came to know about the security breach, we replaced debit cards of those customers which we thought were at high risk. We replaced around 3 lakh debit cards.” Bankers said some of their customers reported about suspicious transactions, which took place in China, from their international debit cards.
“There was some compromise of data and when the bank came to know about some suspicious transactions which had taken place overseas. We have already completed the process of recalling the card,” Bank of Baroda Executive Director Mayank Mehta said.
The bank has verified its internal switch system, softwares and is also checking offsite ATMs, he added.