Systems compromised in 2016 leading to scare, owns up Hitachi

Hitachi Payments Services on Thursday accepted its systems were compromised by a sophisticated malware in mid-2016, that led to one of the biggest cyber security breaches in country with 3.2 million cards affected and a scare over security of card-based transactions.

The National Payments Corporation of India (NPCI) had said over 600 customers had reported losses of at least Rs 1.3 crore due to the breach.

The company, a wholly-owned subsidiary of the Japanese Hitachi, made the acknowledgement following the receipt of final assessment report from payments and information security audit firm SISA Information Security, and said it "regrets" the inconvenience caused.

In what poses more scope for worries, the company said the amount of data exfiltrated is "unascertainable due to secure deletion by the malware".

"We confirm that our security systems had a breach during mid-2016," its Managing Director Loney Anthony said, adding this happened despite following adequate security measures and adopting the standards of internationally- accepted best practices.

The compromise period has been identified between May 21 and July 11. It had come out in public after a slew of banks, including those not serviced by Hitachi, approached customers making either card replacements or ATM PIN changes compulsory. Out then, the compromise was suspected to have happened through one of the ATMs of Yes Bank, one of the biggest clients of the company. Yes Bank's Rana Kapoor had called for stricter vigil on the outsourced service providers following the compromise.

"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," he said. "Hitachi Payment Services regrets the inconvenience caused to banks and its customers due to this lapse in its security infrastructure. We assure you of our highest commitment to building a robust infrastructure in our systems and preventing such cyber frauds in future," Anthony said.

Quoting the SISA report, the Hitachi statement said a sophisticated malware (a piece of malicious software code) was injected in Hitachi Payment Services' systems, which led to compromise the details of debit cards.