Virus that Infected Debit Cards was on Hitachi Network
Malware concealed its tracks during the compromise period, security firm said in report
Mumbai: Payments security specialist firm SISA, in its final audit report on the compromise of 3.2 million debit cards during October last year, has confirmed that the malware that compromised the cards had indeed infected the Hitachi ATM payments network.
Though initial reports after the breach had pointed fingers at the Hitach Payments ATM network, National Payments Corporation of India had handed over the forensic audit to Bengaluru-based SISA to confirm the breach and cleanse the system.
In a statement to the media, Hitachi Payment Services has confirmed the breach and said that they will continue to undertake all mandatory and regulatory security measures to enhance the security of their systems.
“We confirm that our security systems had a breach during mid-2016. As soon as the breach was discovered, we followed due process and immediately informed the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), banks and card schemes to ensure the safety of their customers’ sensitive data,” said Loney Antony, managing director, Hitachi Payment Services.
Antony further said that the audit agency not only investigated the breach but also suggested ways to ensure such events didn’ t occur a g ain, which Hitachi has implemented.
The report also confirmed that the malware had been able to work undetected and had concealed its tracks during the compromise period. While the behaviour of the malware and the penetration into the network has been deciphered, the amount of data compromised during the above period could not be confirmed due to secure deletion by the malware, said the report.
Bankers said that the malware was so advanced that it could self destruct after the target was accomplished thereby not leaving behind much of trace to be tracked back to its originator.
They said that while the fingers point towards Hitachi Payment Services, who exactly had to pay for the breach was something that they would have to examine.
“It depends on the agreements that we had signed with that ATM service provider and other banks and also on the insurance claims that could be made,” said a senior banker with State Bank of India which had replaced 6 lakh debit cards post the breach. “We are yet to take a call on this.”
Antony said that there were no claims made on Hitachi yet, since the amount lost was low.