Report holds Hitachi responsible for debit card data theft

An interim forensic report on the biggest data theft in the country in which 3.2 million cards were exposed to danger has said there was a compromise in the systems of Hitachi Payments Services, which runs and manages ATM network.

Earlier, when the news of the data theft came to light, Hitachi had denied that its systems were compromised and had said that an external audit by an agency certified by the payment card industry (PCI) had confirmed that there was no breach of its systems.

However, sources, who are part of the team involved in the investigation, said after the submission of the interim report, Hitachi has accepted the data breach.

"The investigations are still going on and therefore I won't be able to comment on the issue," said Loney Antony, managing director, Hitachi Payment Services.

The interim report was submitted two weeks ago and the final report is likely to take another month. SISA, a payments security specialist based in Bangalore, has been authorised to conduct the audit.

The breach is said to have occurred because there was malware in Hitachi's systems for six weeks that ran and operated YES Bank's ATMs. 

As a result, 90 of YES Bank ATMs were affected and data of the cards used at these ATMs was stolen. 

As a result, fraudulent transactions were carried out on 641 customers of 19 banks, leading to a fraud of Rs 1.3 crore. In certain cases, the cards were fraudulently used in China and the US. 

Among the affected banks were ICICI Bank, SBI, Axis Bank, HDFC Bank and YES Bank. 

After the breach came to light, banks got into fire fighting mode. While SBI decided to re-issue 600,000 debit cards where it believed data might have been compromised, ICICI Bank and some other lenders advised their customers to use only their own ATM networks. 

Banks had also cautioned their customers to change their PIN to minimise chances of further frauds. As the call for a detailed investigation garnered steam, other agencies such as Prime Minister's Office and the Reserve Bank of India had also stepped in to monitor and ascertain the quantum of the damage and the risk. 

The PCI Security Standards Council, an international agency that looks at payments account security, is also probing the issue.

According to Hitachi's website, it has more than 48,000 ATMs, 230,000 point-of-sales (POS) devices, 60,000 mobile POS devices and 7,500 cash recycler machines/bunch note acceptors under management.