CORRECTED-UPDATE 2-Security breach feared in up to 3.25 mln Indian debit cards

A slew of banks in India will replace or ask customers to change security codes of as many as 3.25 million debit cards.

FILE PHOTO - A man uses an ICICI automated teller machine (ATM) in New Delhi, India.

FILE PHOTO - A man uses an ICICI automated teller machine (ATM) in New Delhi, India.

REUTERS/Adnan Abidi/File Photo

(Corrects SBI's outstanding cards to more than 200 million)

* Debit cards compromised by security breach involving 90 ATMs

* Some 2.65 mln Mastercard, Visa debit cards possibly compromised

* Banks asking customers to change security codes, replacing cards

By Devidutta Tripathy

MUMBAI, Oct 20 (Reuters) - A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country's largest-ever cyber security incidents.

Card network providers Visa , MasterCard , and home-grown RuPay have alerted banks to the possible compromise, A.P. Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel.

The cards were possibly compromised by suspected security breaches involving as many as 90 ATMs throughout the country, said Hota, adding that the issue was still being investigated.

Of the debit cards affected, 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay, said Hota, adding he believed the issue had been contained.

"Adequate precautions have been taken, information security officers of all the banks and the information security officers of all three networks are in close touch with each other," said Hota. "There is no reason for any panic, or any kind of worry."

Visa and Mastercard said in separate statements their own networks had not been compromised, but they were aware of the issue and were working with banks, regulators and others to support investigations.

While the potential breach impacts a large number of debit card holders, the number of cards affected accounts for just 0.5 percent of the nearly 700 million debit cards issued by banks in India.

Although breaches such as this have occurred in India in the past, Hota said prior breaches have been typically localized to five or 10 ATMs. He added the latest breach may have been caused by a compromised "switch" - part of the back-end networks aiding ATM operations - of one particular local bank.

It was not clear whether the security breach involved card numbers and personal identification numbers only or other data.

Banking industry sources with direct knowledge of the matter said the issue stemmed from a breach in systems of Hitachi Ltd subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd .

The sources were not authorised to speak with media on the matter and so declined to be identified.

Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.

A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding it had no further comment at this time.

State Bank of India , the nation's top lender, said it had blocked cards of certain customers after being informed by card network providers about a breach outside its network and it was replacing those cards as a proactive measure.

The bank has found about 620,000 of its more than 200 million cards "vulnerable", Mrutyunjay Mahapatra, a deputy managing director at SBI, told Reuters, but added he did not expect any significant financial loss.

ICICI Bank , HDFC Bank and Axis Bank - the top three private sector lenders - confirmed in separate statements some of their customers' card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.

Standard Chartered's Indian unit has also begun to re-issue debit cards for some customers, according to messages sent to clients. The bank did not respond to requests seeking comment.

(Reporting by Devidutta Tripathy; Additional reporting by Suvashree Dey Choudhury and Katsuro Kitamatsu; Editing by Euan Rocha, Christopher Cushing and Alexandra Hudson) ((; +91 84518 40430; Reuters Messaging:


More From Commercial