Indian banks, which were already crumbling under the weight of increasing non-performing assets worth thousands of crores of rupees, now have an even bigger problem on their hands – and this time, customers and their money are directly at risk.

In what is possibly the biggest data security breach in India, the information related to perhaps 32 lakh debit cards may have been leaked owing to a flaw in ATM security systems. Reports on the breach emerged on Thursday after several customers complained to their banks that their cards had been used in China, even though they were in India at the time.

The worst-affected banks include HDFC Bank, State Bank of India, Yes Bank and ICICI Bank, among others.

Initial reports suggested that the breach was caused by malware – malicious software – introduced in some ATMs and points of sale.

Even as banks have urged customers to change their ATM Personal Identification Numbers or replace their debit cards and have reissued more than six lakh debit cards, they have been quick to assert that the breach was not their fault. All of them have maintained that their security systems are up-to-date and robust enough to handle any cyber attacks.

No institution has accepted culpability for the fact that weak security protocols have allowed such information to fall into the hands of outsiders.

Late disclosures

Though reports of the breach emerged only on Thursday, banks had started contacting customers several weeks ago urging them to change their PINs, indicating that they knew of a possible problem. However, they were not explicit about this.

Customers alleged that the banks, while asking them to change their PINs, did not communicate the extent of the problem to them and made it seem like a routine procedure.

For instance, Kanupriya Kaikeya, a public relations professional from Delhi, received a message from the SBI as early as September 29. However, she said that the message did not give the sense that something unusual had occurred, so she did not take the advice to change her PIN right away.

Messages received by Kanupriya from SBI
Messages received by Kanupriya from SBI

Over the next two weeks, Kaikeya received at least 15 messages about transactions from her debit card on websites such as Freecharge and Zomato – sites she had not been using at the time, with one-time-passwords to complete the payment.

"Thankfully, I didn’t lose any money, but I have lost all faith in the banking system if it’s so vulnerable," Kaikeya said.

According to the National Payments Corporation of India, the umbrella organisation for retail payment systems in India , more than 641 customers from 19 banks have reported losing money to fraudulent transactions amounting to Rs 1.3 crore. The number is only preliminary and could rise as more customers become aware of the data breach and check their account statements.

Passing the buck

After reports of the breach emerged, banks rushed forward with statements – all of which essentially put them in the clear. The Reserve Bank of India is yet to issue a statement on the data breach.

“It’s a security breach, but not in our banks’ systems. Many other banks also have this breach right now,” said Shiv Kumar Bhasin, SBI’s Chief Technology Officer. “Banks whose ATMs have been infected must come forward and declare those infected ATMs. The onus is on them to stop this.”

The SBI had blocked about six lakh debit cards after it suspected a malware-based breach was detected in an ATM network outside the bank’s purview.

Yes Bank too, which asked its customers to change ATM pins by blocking their cards temporarily or reducing their withdrawal limits, said that it is not responsible for the data theft and that its ATMs are secure.

“Yes Bank has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on Yes Bank ATMs,” the bank said in a statement. “Yes Bank continues to work with relevant stakeholders to ensure utmost safety and security of its ATM network and payment services which are completely safe to use,” it added.

Other major banks too, issued similar statements and did not comment on who is to blame for the fact that the system is vulnerable to such breaches.

Laxity at play?

Reports suggested that the National Payments Corporation of India’s investigation indicated the malware first breached the systems of Hitachi Payment Services, which provides ATM and point-of-sale services. But the company has denied that the problem originated from its systems.

“The interim report published by the audit agency in September, does not suggest any breach compromise in our systems ,” Loney Antony, Managing Director, Hitachi Payment Systems was quoted as saying by the Economic Times. "The final report is expected by mid-November."

An Article in the Firstpost, however, said that National Payments Corporation of India had warned banks about the possible breach in Hitachi’s systems as early as May, but no action was taken. The article argued that by outsourcing the management of ATMs to third parties, the banks are “outsourcing negligence.”

Opaque system

Even as reports of the breach created panic, fuelled by misinformation and paranoia, among customers, the Reserve Bank of India – the country’s apex financial institution – kept silent on the issue. Though it has started an investigation into the breach, it is yet to release a statement.

According to current RBI regulations, banks are not required to disclose any security breaches to the public – making it possible for the banks to underplay the extent or impact of data thefts if there is no intervention.

The apex bank’s proposed guidelines on online frauds, published in August and open for public comments, details the liability of customers in cases of such frauds. The guidelines state that in case of a third-party breach – where neither the customer or bank is at fault – customers will have zero liability if they report the unauthorised transaction to the bank within three working days of receiving a communication on it.

After this cut-off, the customer will have to bear up to Rs 5,000 in damages or the transaction value, whichever is lower. And if they take more than a week to report the transaction, this amount can go up and will be on the bank’s discretion.

In case there is negligence on part of the customer, "the burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank", the statement says. "The bank’s above policy shall also specify the maximum time period for establishing customer liability after which the bank shall compensate the customer.”