Hackers managed to transfer over Rs 94 crore through a malware attack on the server of Pune-based Cosmos Bank and cloning thousands of the bank's debit cards over a period of two days, a senior bank official said.
The fraudulent transactions were carried out on August 11 and August 13 through 25 ATMs located in Canada, Hong Kong and a few in India.
The cards of the cooperative bank customers that were cloned were of Visa and Rupay.
"A complaint has been filed with Pune police about the malware attack and the bank is doing internal audits to investigate the breach," the official said.
The bank maintained that the core banking system (CBS) was not attacked and the malware attack was on the switch, which is operative for payment gateways of Visa and Rupay debit cards.
"None of the customers' accounts were touched and it is the bank which has incurred the loss of this money," the official said.
While cloning the Visa and Rupay debit cards of bank account holders and using a "parallel" system to the National Payment Corporation of India (NPCI), the hackers self-approved the transactions and withdrew over Rs 94 crore on two to three occasions, the official added.
"It was Visa and Rupay who appraised about these fraudulent transactions to Reserve Bank," said the official.
Realising the cyber attack, the bank then registered an FIR with the Chatushringi police station.
As a precautionary measure, the bank has closed all its servers and net banking facilities, according to the official.
According to the FIR, the hackers used an unidentified malware to hack the system and clone card details of the bank customers.
"On August 11, the hackers cloned the card details and did over 12,000 transactions and transferred Rs 78 crore out of India. On the second instance, total 2,849 transactions were done in which Rs 2.5 crore was transferred within India," the FIR said.
It also said that on August 13, hackers again transferred Rs 13.92 crore in a Hong Kong-based bank by using fraudulent swift transactions.
A case has been registered under section 43, 65, 66(C) and 66 (D) of the Information Technology Act and relevant sections of Indian Penal Code.
Disclaimer: No Business Standard Journalist was involved in creation of this content
You’ve reached your limit of {{free_limit}} free articles this month.
Subscribe now for unlimited access.
Already subscribed? Log in
Subscribe to read the full story →
Smart Quarterly
₹900
3 Months
₹300/Month
Smart Essential
₹2,700
1 Year
₹225/Month
Super Saver
₹3,900
2 Years
₹162/Month
Renews automatically, cancel anytime
Here’s what’s included in our digital subscription plans
Exclusive premium stories online
Over 30 premium stories daily, handpicked by our editors
Complimentary Access to The New York Times
News, Games, Cooking, Audio, Wirecutter & The Athletic
Business Standard Epaper
Digital replica of our daily newspaper — with options to read, save, and share
Curated Newsletters
Insights on markets, finance, politics, tech, and more delivered to your inbox
Market Analysis & Investment Insights
In-depth market analysis & insights with access to The Smart Investor
Archives
Repository of articles and publications dating back to 1997
Ad-free Reading
Uninterrupted reading experience with no advertisements
Seamless Access Across All Devices
Access Business Standard across devices — mobile, tablet, or PC, via web or app