3.2 million debit cards hit by security breach in India

Bank Card Hack

A number of banks across India are set to ask their customers to change the security codes for a whopping 3.2 million debit cards in what could be one of the biggest security breaches in the country. Several people have already begun reporting unauthorized usage of their account from places like China.

Sources told the Economic Times that the institutions which have been hit the hardest are SBI, ICICI, HDFC, Axis Bank, and Yes Bank. Out of the 3.2 million affected, 2.6 million are on the Visa and Master Card platform and the 600000 remaining are on RuPay.

The security breach apparently came about as a result of destructive malware being introduced in Hitachi Payment Services systems which provide ATM and point of sale (PoS) facilities. The vulnerability allowed hackers to steal sensitive information which in turn gave them free license to siphon off funds.

Also Read: Your smartwatch can help hackers steal your ATM PIN

The massive attack is now being investigated by the Payments Council of India (PCI). The authority has ordered a forensic audit on Indian bank servers and systems to determine the source of the frauds. National Payments Corporation of India (NCPI) Managing Director AP Hota confirmed that it has gotten complaints from banks about debit cards being utilized in China illegally.

As for the banks, HDFC asserts it had started taking action a few weeks ago, asking people who had used non-HDFC ATMs in the recent past to alter their PIN. It’s also asking customers to practice a certain degree of caution by changing their ATM PIN from time to time and engaging in transactions at HDFC ATMs only.

SBI is taking things a step further, going as far as to block and reissue 600000 debit cards. It’s requesting consumers to modify their PIN code as well. SBI Chief Information Officer Mrutyunjay Mahapatra suspects there has been a compromise on the non-SBI ATM network which may encompass a wide range of white-label ATM service providers.

The report states that the malware infection took a whopping six weeks to detect, potentially affecting millions of transactions during that time period.