Hitachi Hackers Cashed in on Security Gaps
Ingenuity of attack shows involvement of masterminds, hints forensic audit report
Illustration: ANIRBAN BORA
Mumbai: From late May to end July of 2016, India was struck by what till now is the worst cyber breach to compromise the country’s payments network. Bank customers, including several foreign travellers, using as many as 3.2 million debit cards feared that their accounts had been hacked. Weeks after the panic — by when thousands had lost money — it surfaced that hackers had penetrated the network of Hitachi to which some banks had outsourced their ATM transaction processing. RBI sent out a flurry of dos and don’ts to banks, held meetings with payments companies such as VISA, MasterCard and National Payments Corporation of India; and Hitachi hired a Bengalurubased payments security firm to carry out a forensic audit.
The audit report, which was submitted to the regulator last week, brings out an uncomfortable truth that most Indian banks and corporates will now have to deal with: anti-virus and anti-malware devices they have installed are no match for targeted cyber attacks. What this means is that if the code of a malware, floated by the hacker, is written in a clever way, it can overcome most anti-malware walls.
The forensic team, stunned by the level of sophistication and ingenuity of hackers who targeted Hitachi, has found that the malware (which is nothing but a software) was so ingenuously written that it could spread within the Hitachi system at an alarming rate. This was despite Hitachi using some of the best security devices.
ET learns that the hackers created a ‘dummy code book’ within the Hitachi system — capturing all possible four-digit numbers from 0000 to 9999 — to steal the PINs (personal identification numbers) of customers as and when they used their cards to withdraw money from ATMs of a private bank in India.
Experts say similar attacks can happen to any payment environment — banks, wallet firms, UPI, IMPS or retailers
In October 2016, Tata Sons appointed Ralf Speth and N Chandrasekaran as additional directors.
“This is the first time in many years that the Tata Sons board has more outsiders than representation from within the group,” the second person quoted above said. “Traditionally, the board had a combination of outsiders, insiders and insiders like outsiders.’’
In the past, eminent jurists Nani Palkhivala and SR Vakil were outsiders but were seen as insiders in Bombay House, the headquarters of the conglomerate. Other prominent mem- bers of the board included Pallonji Mistry, who owned 18.4% stake in Tata Sons, Darbari Seth, FC Kohli, Mulgaonkar, JJ Irani and R Gopalakrishnan.
Some shareholder activists insist on the need for insider representation.
“Tata Sons board should have an ideal structure of 60% outsiders and rest from operating companies,’’ says Anil Singhvi, founder, Ican Investments Advisors, a proxy shareholder advisory firm. “The board cannot just have members who have no stake in the system. It should have members who are directly involved in the group businesses and can bring that perspective to the table.”