Data Breach in In­dian Banks a Mas­ter Theft or a Grand Fi­asco? ..................................................

A Mas­ter Theft or a Grand Fi­asco?

Libertatem Magazine - - Content - By Shub­ham Pa­tel


The re­cent times saw one of the big­gest breach in se­cu­rity and in­for­ma­tion breach (read theft) in In­dian sce­nario, about 3.2 mil­lion card hold­ers suf­fered from this breach. The al­leged breach is said to have oc­curred from the Hi­tachi Pay­ment Ser­vices sys­tems, which were in­fected with mal­ware which col­lected and store the per­sonal data in­clud­ing the card de­tails and PIN of the card, us­ing which fur­ther frauds were com­mit­ted in var­i­ous lo­ca­tions in US and China. The Hi­tachi Pay­ment Ser­vices serve as the ATM net­work of Yes Bank and sev­eral other

The vic­tims of this breach were spread across var­i­ous banks, both Pri­vate and Pub­lic Sec­tor; and dif­fer­ent Debit Card ser­vice plat­forms. Bank in­cludes the likes of State Bank of In­dia, Yes Bank, Axis Bank, ICICI Bank and other, whereas 2.6 mil­lion cards be­longed to Visa and Mas­ter Card plat­form and about 6 lakhs from Rupay. [Sachin Dave, Saloni Shukla; The Eco­nomic Times, Banks re­boot se­cu­rity, some to re­fund money to cus­tomers, Oct 21, 2016]. State Bank of In­dia alone blocked around 6.2 lakh ATM cards. The bank­ing sec­tor re­sponded by send­ing mes­sages to the cus­tomers who prob­a­bly would have been af­fected by the breach urg­ing them to change their PIN, get their ATM cards blocked and said that the new debit cards would be is­sued against them. A to­tal sum of around ₹ 1.3 crore is said to be lost but, ac­cord­ing to the bank poli­cies, to re­turn the money when de­fault was by the bank or any third party, the amount lost would be re­turned to the peo­ple who lost it. Though the banks are prima fa­cie ad­mit­ting that the breach has oc­curred they deny that their sys­tems were af­fected.

Though the re­cent hap­pen­ing may seem new, they are not; the un­der­lin­ing fact is that this kind of theft/breach is the af­fairs of the day. Though not ev­ery in­ci­dent is re­ported and cer­tainly is not of the scale as such, there is no deny­ing to the fact that they hap­pen, and usu­ally end as a tus­sle be­tween the Bank and the vic­tim.


There are some unan­swered ques­tion that need con­sid­er­a­tion; firstly breach is al­leged to hap­pen be­tween the months of the May and July, what took this much time for the breach to come in front?

The breach took place some­where be­tween May and July and the in­for­ma­tion came in lat­ter parts of the month of Oc­to­ber when the banks (spe­cially SBI) started to send text mes­sages to its customer ask­ing them to change the PINS and is­su­ing of new debit cards, the core for this de­lay how­ever lies in the non co­op­er­a­tion among the dif­fer­ent banks and how they failed to share the in­for­ma­tion with other banks, which ul­ti­mately lead to this fi­asco.

It is not the lack of the in­sti­tu­tions which lead to this

con­di­tion, there are in­sti­tu­tions which were setup to look into the cases of cy­ber at­tacks, namely In­sti­tute for De­vel­op­ment and Re­search in Bank­ing Tech­nol­ogy [IDRBT], In­for­ma­tion Shar­ing and Anal­y­sis Cen­tre [ISAC] and banks have Se­cu­rity Op­er­at­ing Cen­ters [SOCS]. But the lack of vi­sion and mu­tual co­or­di­na­tion lead us here, each bank which re­ceived the com­plaints treated them in iso­la­tion and the same was dubbed as fraud and not for­warded to the ISAC and so on, and there was no con­clu­sive prior alert. When it was re­al­ized that th­ese were not stray in­ci­dents, the breach was al­ready done. Most of the SOCS are un­der­staffed and don’t em­ploy au­to­mated sys­tems for de­tec­tion and re­port­ing of threats. [The, In­dia suf­fered a mas­sive debit card data breach be­cause no one con­nected the dots].

The sec­ond ques­tion which must be raised that why there was no prompt dis­clo­sure of the same?

Though it can be ex­pected that a bank, or any in­sti­tu­tion which has data of a per­son and con­sec­u­tively loses it would not like to tell the cus­tomers that it was un­able to keep their data safe, but at the same time the cus­tomers have a right to know about what is hap­pen­ing with their in­for­ma­tion, the In­dian banks though tried to keep this sen­si­tive in­for­ma­tion about data breach and will­ingly chose not to dis­close it to the con­cerned par­ties, which for ob­vi­ous rea­sons is very alarm­ing. [Javed An­wer, In­dia Today, 32 lakh bank cards hacked: In­dia needs data breach dis­clo­sure law and needs it now, Oct 20, 2016].

The data that was stolen/ over which breached oc­curred, be­longed to the cus­tomers of the bank; it was their pri­vate data and ev­ery hap­pen­ings re­lated to it need to be con­veyed to them, in­stead of the cryp­tic text mes­sage, what send­ing of those mes­sage can lead to is shift­ing of blame that the customer re­ceiv­ing the text did not com­plied with it and then the mis­take on part of the bank and oth­ers could eas­ily be at­trib­uted to the vic­tim him­self. [Sachin Dave, Saloni Shukla; The Eco­nomic Times, Banks re­boot se­cu­rity, some to re­fund money to cus­tomers, Oct 21, 2016].


There is a need call­ing for changes in the present sce­nario if the in­ci­dents like th­ese are needed to be con­trolled and con­tained in fu­ture.

1. Need to strengthen the SOCS and mech­a­nism of early de­tec­tion: There is no deny­ing to the fact that with evo­lu­tion of tech­nol­ogy, bank­ing is also chang­ing and be­com­ing more tech­no­log­i­cally equipped. But at the same time, the num­ber of hacker will­ing to get hold of the in­for­ma­tion is ris­ing too, there is a crit­i­cal need to em­power SOCS and other in­sti­tu­tions to deal with th­ese treats. There is also a need to make it com­pul­sory for the banks to have fully func­tional SOCS which would be bound to share in­for­ma­tion of such sus­pected breaches, as the present case arose due to lack of proper shar­ing of info.

2. Strict laws mak­ing it manda­tory to in­form about breach: The USA and the EU had th­ese laws from long time and makes it manda­tory to in­form about data breach. Whereas though there is a fun­da­men­tal right of Right to Pri­vacy, but there is no frame­work which ne­ces­si­tates in­form­ing about the breach of data. The time calls for the need of a law which makes it com­pul­sory for a cor­po­ra­tion to in­formed the con­cerned par­ties about the date breach. This would ul­ti­mately lead the cor­po­ra­tions to come clean with the ef­forts they put in to se­cure the pri­vate data of their cus­tomers and thus ul­ti­mately in de­vel­op­ment of even more se­cure sys­tems.

3. Aware­ness Pro­grams: The breaches of this kind are ex­cep­tions, what is com­mon is the breach that hap­pens usu­ally in­volv­ing a sin­gle per­son or a small group of per­sons. Most of such small scale breaches are done us­ing some ex­ter­nal ma­chin­ery which can col­lect data in some form or other, most of those de­vices can be iden­ti­fied eas­ily as they are not reg­u­lar com­po­nents of the ATM de­vice. There is a need to make it com­pul­sory for the banks to put up tu­to­ri­als or some other forms to in­form the cus­tomers to watch out for such de­vices when they use the ATMS. This sim­ple ex­er­cise can help in re­duc­tion of the small cases which hap­pen more of­ten.


This story may be new in terms of the scale of the num­ber of peo­ple who were af­fected, but is a scene of al­most ev­ery day. Ev­ery or­ga­ni­za­tion has its own ver­sion of the story to tell, the banks points that there is no flaw in their sys­tems and the breach was in Card in­dus­try, the Card plat­forms are say­ing that their sys­tems are se­cure and no breach was done there.

At the same time it must be re­mem­bered that the breach could have pos­si­bly been avoided if the in­sti­tu­tions des­ig­nated for the work of keep­ing check showed more co­op­er­a­tion and opted a broad way of look­ing at things. In the case even if af­ter all care the breaches do hap­pen then the cor­po­ra­tions in­volved should be made to be­have in a much proper man­ner, at least in dis­clos­ing the cus­tomers af­fected about what has hap­pened.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.