Banks recall 3.2 mn debit cards as data security 'compromised'

In biggest-ever security breach affecting the Indian banking sector, 32 lakh debit cards of various public and private sector banks are feared to have been 'compromised' by cyber malware attack in some ATM systems, even as the government asked people not to panic. Several banks, including state-run SBI, have recalled a large number of cards, while many others blocked the ones suspected to have been compromised and asked their customers to change PINs (personal identification number) before use. Fraudulent withdrawals have been reported from 19 banks so far, while complaints have been received from few banks that their customers' cards were used fraudulently abroad, mainly in China and USA while customers were in India. "All affected banks have been alerted by card networks that a total card base of about 3.2 million could have been possibly compromised. Out of this 0.6 million are RuPay cards," said National Payments Corporation of India (NPCI), the umbrella body for all retail payments system in India. In a statement, NPCI said the complaints of fraudulent withdrawals so far have come from 641 customers and the total amount involved is Rs 1.3 crore as reported by various affected banks. Seeking to calm worried bank customers, the Department of Financial Services Additional Secretary G C Murmu told PTI, "Only about 0.5 per cent of total debit card details were compromised while remaining 99.5 cards are completely safe and bank customers should not panic." There are around 60 crore debit cards operational in India, of which 19 crore are indigenously developed RuPay cards while the rest are Visa and Master Card enabled. Bankers said the recalled cards include those that have been replaced as a 'pre-emptive measure', while in many cases the customers have been asked to mandatorily change the PIN and other security numbers to resume using the blocked cards. SBI is said to have re-called around 6 lakh cards, while others like Bank of Baroda, IDBI Bank, Central Bank and Andhra Bank have also replaced debit cards of several customers as a pre-emptive measure. Canara Bank has also asked its customers to change their PINs, failing which the cards would be blocked by tomorrow. Among the private sector players, ICICI Bank, HDFC Bank and Yes Bank have asked customers to change their ATM PINs. HDFC Bank also advised its customers to use its own ATMs for carrying out any transaction. The suspected security breach happened through a malware in the systems of Hitachi Payments Services, which serves ATM network of Yes Bank and also some white-label ATMs. Hitachi provides payment services through ATM services, point of sale services (POS), emerging payments services and banking channel products like cash recycling ATMs and auto passbook entry machines.