Already crumbling under the weight of bad loans, another crisis has hit the Indian banking system. Last week, the media was flush with reports of possibly the biggest data security breach in India's banking history, leaving customers and their money at significant risk.
Information related to 3.2 million debit cards from at least 19 commercial banks may have been leaked due to malware in ATM security systems. What’s worse, it reportedly took three months for the banks to discover the security breach. The malware was first found in the processors of Hitachi Payment Services’ central switch, which operates most of YES Bank ATMs and some teller machines owned by other banks, according to The Indian Express. But the company has denied that the problem originated from its systems.
The national media took cognizance of this crisis after several customers complained to banks that their cards had been used in China and the US for various transactions without authorisation. In a statement, the National Payments Corporation of India claimed that 641 customer complaints from 19 banks had been received and the amount involved was Rs. 1.3 crore.
Subsequent reports indicate that these figures will increase further, as more customers become aware of the data breach. Customers have alleged that banks had begun to get in touch with them several weeks ago, actively advising them to change their PIN numbers. It indicates that the banks may have been aware of the problem, but chose not communicate it.
Many private and public sector banks have been affected by the crisis, including State Bank of India, HDFC Bank, and ICICI Bank. In response to the recent public outcry, these financial institutions have asked customers to change their ATM personal identification numbers or replace their debit cards entirely.
No one has been held accountable for the gross lapses in security protocol. No bank or institution has yet taken responsibility for the data breach, which has left sensitive financial information of their customers at serious risk. All of them maintain that their security systems are secure and up-to-date, leaving little scope for potential cyber-attacks. Clearly, something is amiss.
Meanwhile, the Centre has asked the banks concerned and RBI to submit a report on the nature of the breach and assured customers that their interests would be protected. Until the report is made public, it would be imprudent to comment any further on the nature of the breach. However, what has been particularly disconcerting about this entire episode is the inability of Indian banks to share critical information with one another or, more importantly, their customers, over incidents of enormous significance.
One can understand why banks would be hesitant to disclose information of a serious data breach. But they must remember that the first step should be to secure the interests of their customers, who are most at risk. Worst of all, the Reserve Bank of India—the country’s Central bank—has remained silent on the issue.
One of the primary responsibilities of the Central bank is to communicate with customers and prevent the spread of misinformation and panic. The RBI does not have to release information on the nature of the breach, but it should at least assure customers that it is on top of the problem.
The RBI is yet to release any official statement, even though it has started a formal investigation. Experts on RBI regulations contend that banks do not have to communicate any security breaches to the public. As per latest reports, the RBI has directed banks to implement a security policy to combat such threats and clearly define tangible “cyber hygiene” measures that soon have to be approved by their respective boards.