UPDATE 1-Security breach feared in up to 3.25 mln Indian debit cards

A slew of banks in India will replace or ask customers to change security codes of as many as 3.25 million debit cards.

  
* Debit cards compromised by security breach involving 90 ATMs

* Some 2.65 mln Mastercard, Visa debit cards possibly compromised

* Five banks most affected -Economic Times

(Recasts with Visa, MasterCard, NPCI comments, details)

By Devidutta Tripathy

MUMBAI, Oct 20 (Reuters) - A slew of banks in India will replace or ask customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country's largest-ever cyber security incidents.

Card network providers Visa Inc , MasterCard Inc , and home-grown RuPay have alerted banks to the possible compromise, A.P. Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel.

The cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country, said Hota, adding that the issue was still being investigated.

Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay, said Hota, adding he believed the issue had been contained.

"Adequate precautions have been taken, information security officers of all the banks and the information security officers of all three networks are in close touch with each other," said Hota. "There is no reason for any panic, or any kind of worry."

Visa and Mastercard said their own networks had not been compromised, but they were aware of the issue and were working with banks, regulators and others to support investigations.

While the potential breach impacts a large number of debit card holders, the number of cards affected account for just 0.5 percent of the nearly 700 million debit cards issued by banks in India.

Although breaches such as this have occurred in India in the past, Hota said prior breaches have been typically localized to five or 10 ATMs. He added the latest breach may have been caused by a compromised "switch" - part of the back-end networks aiding ATM operations - of one particular local bank.

It was not clear whether the security breach involved card numbers and personal identification numbers only or other data.

Banking industry sources with direct knowledge of the matter said the issue stemmed from a feared breach in systems of Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd .

The sources were not authorised to speak with media on the matter and so declined to be identified.

Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.

A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding it had no further comment at this time.

The Economic Times newspaper earlier on Thursday reported that the worst-hit of the card-issuing banks were Yes Bank, State Bank of India , HDFC Bank Ltd , ICICI Bank Ltd and Axis Bank Ltd .

State Bank of India said it had blocked cards of certain customers after being informed by card network providers about a breach outside its network, and was replacing those cards as a proactive measure.

Standard Chartered PLC's Indian unit has also begun to re-issue debit cards for some customers, according to messages sent to clients.

HDFC, ICICI, Axis and Standard Chartered did not respond to Reuters requests for comment.

(Reporting by Devidutta Tripathy; Additional reporting by Suvashree Dey Choudhury and Katsuro Kitamatsu; Editing by Euan Rocha and Christopher Cushing) ((devidutta.tripathy@thomsonreuters.com; +91 84518 40430; Reuters Messaging: devidutta.tripathy.thomsonreuters.com@reuters.net))

More From Business