Debit Card Fraud? Not At Our Bank, Say ICICI Bank, Yes Bank And SBI 

Banks claim possible breach is a cards industry incident.

A customers uses an ATM machine to withdraw cash inside a branch of the State Bank of India (Photographer: Sebastian Di Souza/Bloomberg News)  
A customers uses an ATM machine to withdraw cash inside a branch of the State Bank of India (Photographer: Sebastian Di Souza/Bloomberg News)  

Close to 3.2 million customers across 19 banks could have been impacted by a breach in debit card networks, according to a statement issued by the National Payments Corporation of India Ltd (NPCIL) on Thursday. 641 customers have complained of fraudulent transactions involving Rs 1.3 crore, said the statement which went on to add that “necessary corrective action” has already been taken.

The question that remains unanswered is how the breach took place.

In statements issued through the day, State Bank of India and private lenders ICICI Bank and Yes Bank claimed that they have not been affected by any security breach and that their ATMs have not been compromised.

We’d like to inform that SBI’s robust systems are absolutely secure and no security breach has happened.
State Bank of India said in an emailed statement.

SBI has taken precautionary measures and blocked the cards of certain identified customers, to protect them from any potential fraud. It will issue new cards at no cost to customers whose cards have been blocked.

The public lender stated that the breach was a cards industry incident and doesn’t only apply to SBI.

The country's largest private sector bank, ICICI said that the possible data breach of information has taken place in the ATM network of another bank and new personal identification numbers have already been issued for all such cards, which had been used on this network.

We are using our real-time fraud monitoring systems to identify and proactively stop any misuse of the cards which may have been impacted by the alleged breach in that bank. We also urge our customers as part of our ‘Safe Banking’ communication to change their PIN periodically to prevent any misuse. 
ICICI Bank’s e-mailed statement

Yes Bank founder and managing director Rana Kapoor also said that there has been no breach at the bank’s ATMs while speaking on the sidelines of the bank’s quarterly earnings press conference. He added that sufficient checks have been put in place to make sure there has been no compromise.

We have not had any breaches or compromise of our ATMs. As a matter of abundant caution we have checked and double checked and we have no reason to believe that there has been a breach in our ATM infrastructure
Rana Kapoor, Founder and MD, Yes Bank
Debit Card Fraud? Not At Our Bank, Say
ICICI Bank, Yes Bank And SBI 

Card network companies also denied that the breach happened at their end.

In an emailed statement to Bloomberg, Mastercard said that it was aware of the data compromise incident in India. It, however, added that the company's own infrastructure has not been breached. Visa, in a statement, said that it does not currently process domestic debit ATM transactions in India. “However, we are working closely with all networks and our financial partners to support with investigations.”

An email sent to the Reserve Bank of India seeking comment was not answered.

ATM frauds in the country have been on a rise, according to Deloitte's 2015 India Banking Fraud Survey. The survey showed that 24 percent of respondents felt that ATM breaches are the top risk for banks while the average loss per fraud was pegged at Rs 10 lakh.

According to KV Karthik, partner - financial advisory services at Deloitte India, the number of incidents of fraud in retail banking tends to be higher although the average value of fraud loss per fraud is lower.

Considering the presence of personal financial data online (in cloud networks) and the possibilities of hacking into banking systems to access such data, we foresee ATM fraud getting more sophisticated in the future.
KV Karthik, Partner - Financial Advisory Services, Deloitte India

Questions That Remain Unanswered

Where Did The Breach Take Place?

All reports suggest that the compromise may have happened at the level of the Hitachi Payment Services, whose systems are used to manage the ATM networks. Hitachi denies this. In a statement, the company said that it had appointed an external audit agency in the first week of September to check for a breach after a few suspected transactions were reported.

“The interim report published by the audit agency in September, does not suggest any breach / compromise in our systems,” said Loney Antony, Managing Director, Hitachi Payment Services

Who Is Liable For Customer Losses?

If a customer lost money before the bank alerted him, the bank will bear the loss. However, is a bank liable if it had asked a customer to change their PIN but the customer chose to ignore the advice?

Has Customer Data Been Compromised?

A question that is yet to be debated is what happens to the breach in privacy of basic customer information. While you can get a customer to block his or her card, a breach could also mean access to other confidential information such as names and birth dates among other things.

Does India Need A Breach Notification Law?

Unlike developed countries like the US, India does not have a breach notification law. Should banks try and cover up if and when such an incident occurs or should they be required, by law, to inform customers of a breach?