Indian banks stung by the biggest financial data breach to hit the industry are scampering to contain the damage and compensate the affected account holders. Sources said SBI, HDFC, ICICI, Axis and Yes Bank (BSE -0.23%) are looking to refund money to customers or other banks.
On the other hand, only one bank, State Bank of India (BSE -0.90%), has come forward to replace the cards affected by the malware. Private sector lender Axis Bank (BSE -1.74%) said that while some cards have been replaced, several customers have been asked to change their security codes as well.
“Banks are currently conducting detailed investigations or assessment of all the transactions where money was lost due to the financial breach,“ a person with direct knowledge of the matter told ET. Indian banks that have been stung by the data leak have roped in forensic and cyber investigators to conduct detailed investigations.
ICICI Bank, Yes Bank and HDFC Bank (BSE -0.29%) have over the last few weeks asked customers to change PIN numbers. ATMs of certain banks disbursed money on the fraudulent cards and some of these banks which are abroad, mainly in China, have reached out to the Indian banks to reimburse them the money . Most Indian banks allow Indian customers to withdraw money from any ATM across the world.
“Like someone has used bank A ‘s debit card to withdraw money from ATM machine of bank B. We will be reimbursing all the customers who have lost their money within a week, and we are talking to other banks to sort out how to reimburse or collect money from them,“ a banker with one of the banks hit by the breach told ET.
ET on October 20 reported over 3.2 million cards were compromised after a malware-related security breach. Of the cards, 2.6 million are said to be on the Visa and MasterCard platform and 600,000 on the RuPay platform.
While ICICI, Axis and HDFC Bank confirmed that they had advised customers to change security codes, but did not elaborate on who would bear the brunt in an event of a fraud when the customer fails to change the PIN numbers.
Customers as well as banks are flailing to quantify the loss and reparations due to affected customers and banks. It does not help that poli cy to determine the extent of loss and locate responsibility is muddled or non-existent.
Banks have not yet publicly said how much they are liable to customers. Besides, critics say banks asking customers to change secret numbers or issuing new cards will not only save costs of re-carding but also shift the liability of security breach on the customers who do not change PINs rather.
Industry veterans believe reissuing fresh cards is a better idea as it reduces the possibility of a fraud.“Quite a number of customers do not have their bank accounts linked with their mobile numbers, so it is difficult to alert them of such a possible breach,“ AP Hota, MD & CEO, NPCI told ET.
SBI has already said that it will reissue more than 6 lakh compromised cards free. Sources also said that SBI officials were working round the clock to deliver these cards to customers within the next five days. “There has to be some clarity from the RBI on when and to what extent is the customer liable if he fails to mitigate the damage done,“ Nishit Dhruva, Managing Partner, MDP & Partners told ET.
“Right now, it is not clear who will eventually take the fall in this case.”
In some cases money was not debited from the accounts as the transactions were stopped mid-way . However, money was still withdrawn from ATM machines outside India. In such cases, the Indian banks will have to settle the transactions with foreign banks.
“The transactions are settled between banks every quarter, but this is a different situation.Since data is breached, the customer has lost money but he can’t be charged for the same,“ a senior forensic official working with an Indian bank said.People in the know said banks would be issuing the guidelines on how they would reimburse the money in the coming month.
The breach, according to the investigators working with the banks, has mainly affected the magnetic strip ATM cards.Indian banks issue two types of cards -chip-based cards and Magnetic strip cards.
After banks alerted Visa and MasterCard, a forensic audit is being conducted by Bengalurubased payment security specialist SISA.
The breach is said to have originated in malware introduced in the systems of Hitachi (BSE -0.40%) Payment Services, enabling fraudsters to steal funds. Some sources said the malware infection took about six weeks to detect, affecting transactions in that period. As many as 3.2 million cards were used on the Hitachi network.
Source: Economic Times