SBI Says Over 6 Lakh Debit Cards Being Replaced On Security Breach Fears

State Bank of India has said it has blocked and will replace 6,25,000 debit cards that the country's biggest lender fears may have been compromised by a data breach. SBI has said that customers will be compensated for losses, which it estimates at about Rs 10 lakh to Rs 12 lakh.

"There is a suspicion that a data breach might have happened. We got this information from Visa, MasterCard and RuPay. As a measure of precaution, we have decided to replace these cards, which have been blocked," SBI managing director Rajnish Kumar told NDTV. (Watch)

Mr Kumar said the concern was that if hackers have access to card numbers and passwords it could be misused for e-commerce transactions or fund transfers. New cards would reach SBI customers soon, he said.

He also said the suspected breach had happened outside his bank's ATM network. SBI has "requisite security measures in place, and an alert was picked up by a transaction monitoring system", he said.

The potential breach has affected other banks too. Axis Bank said in a statement that its "internal monitoring mechanism identified such a threat recently and all steps have been undertaken to neutralize the same".

Rajiv Anand, executive director of Axis Bank, told NDTV that there has been no data breach at Axis Bank's ATM network. "We have sent SMSes to customers to change PINs who were potentially exposed to possible breach in other bank's network." he said. (Watch)

"Where customers have not reset their PINs, the cards have been blocked. But the number of cards blocked is very small. Most of the customers have changed the PINs," he said.

According to National Payments Corporation of India (NPCI), which is the umbrella organisation for all retail payments system in India, about 150 fraudulent transactions might have taken place for the industry as a whole, Mr Anand said.

Speaking about the origin of the possible breach, Mr Anand said, "Some sort of malware was sitting in one of the bank's network. As a result, banks found that customers came to them saying that they were hit by transactions they had not done."

News agency Reuters citing banking industry sources said the issue stemmed from a feared breach in systems of Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd.

Yes Bank said in a statement it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.

A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding that it had no further comment at this time.

An ICICI Bank spokesperson confirmed that a "possible breach of information of debit cards has taken place in the ATM network of another bank". "As a precautionary measure, the PINs of debit cards used at the ATMs of that bank have been changed. This has been done in order to protect our customers from any potential fraudulent transaction," the spokesperson added.

AP Hota, MD & CEO of NPCI, in a statement said, "All affected banks have been alerted by all card networks that a total card base of about 3.2 million could have been possibly compromised. Out of this 0.6 million are RuPay cards."

"Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic. Advisory issued by NPCI to banks for re-cardification is more as a preventive exercise," he added.

MasterCard in a statement said, "We are aware of the data compromise event. To be clear, MasterCard's own systems have not been breached."

There were 697.2 million debit cards in India as of end-July, according to data from the Reserve Bank of India. (With agency inputs)