Banks recall over 32 lakh debit cards due to security breach

More than 32 lakh debit cards of customers have been blocked or recalled by banks to prevent them from falling prey to any financial fraud after a major security breach at a payment services provider that manages ATM network of a private sector bank.
While some of the banks like SBI have re-called around six lakh cards, others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have already replaced their debit cards which are effected as a pre-emptive measure.
Some of the lenders like ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM pin numbers. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction.

The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves Yes Bank.
Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.
In light of the incident, Yes Bank's managing director and chief executive Rana Kapoor underlined the need for a greater vigilance on outsourced work.

"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," he told reporters.

According to bankers, the breach took place in such a way that anyone using the said bank's ATMs in the region might stand to get affected.
State Bank of India in a statement said, "Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks."
SBI deputy managing director and chief operating officer Manju Agarwal explained that the data breach took place between May and July, but was discovered only in September and so the bank decided to proactively change the cards.

"As soon as we came to know financial data being stolen, we asked our customers to change the ATM pin numbers. Despite instructions only 7 per cent of the customers changed their pin numbers. At that point we decided to recall cards as we did not want our to customers to be at any risk," she said.
SBI further emphasised that its systems are absolutely fine and not compromised at, and that existing cardholders are not at any risks.
The bank is in the process of issuing new cards at no cost to those whose cards have been blocked, and it is an industry incident and not an SBI only incident, it added.

Meanwhile, the Finance Ministry has sought details from lenders as also the additional steps that need to be taken to avert such incidents.
According to the ministry sources, the Department of Financial Services has sought information about implication of such data compromise from Indian Banks Association.
A state-run bank's chairman and managing director said, "As soon as we came to know about the security breach, we replaced debit cards of those customers which we thought were at high risk. We replaced around 3 lakh debit cards."
An Axis Bank spokesperson said, "The bank has proactively reached out to the affected customers and advised them to change their Debit Card PINs. The Axis Bank ATM network is fully secured and customers should ideally use Axis Bank ATMs to change their Debit Card PINs."

Lenders said some of their customers reported about suspicious transactions, which took place in China, from their international debit cards.
"There was some compromise of data and when the bank came to know about some suspicious transactions which had taken place overseas. We have already completed the process of recalling the card," Bank of Baroda Executive Director Mayank Mehta said.
The bank has verified its internal switch system, softwares and is also checking offsite ATMs, he added.
Central Bank Executive Director R C Lodha said, "A few customers came to us about unauthorised transactions from their cards in China. These customers do not even have passports. We have replaced such cards."

The debit cards which were affected included of Visa, Mastercard and RuPay.
In a statement issued today, Visa said, "It has been informed that some payment cards in India may have been compromised due to suspected breach of payment systems at a service provider. We also note reports that some of these affected accounts have been fraudulently used for overseas transactions."
"Visa does not currently process domestic debit ATM transactions in India, however we are working closely with all networks and our financial institution partners to support with investigations," it said.
Mastercard said its systems have not been breached.
"At Mastercard, safety and security of payments is a top priority for us and we are working on the investigations with the regulators, issuers, acquires, global and local law enforcement agencies and third party payment networks to assess the current situation," it said in a statement today.