Were 3.25M Indian Debit Cards Breached?

As many as 3.25 million debit cards in India will either have their security codes changed or their cards swapped out wholesale due to concerns that the data may have been breached in one of the nation’s biggest security incidents ever.

Card network providers Visa Inc (V.N), MasterCard Inc (MA.N), and home-grown RuPay have all alerted banks to the possible compromise, A.P. Hota, chief executive of National Payments Corp of India (NPCI) that runs RuPay, told the CNBC TV18 television channel.

As of now, it is thought the cards may have been tainted by suspected ATM breaches throughout the nation — so far 90 ATMS have come up as compromised.  Out of 3.25 million cards, the majority are on the Visa or Mastercard platform — 2.65 million — while the remaining 600,000 or so are on RuPay.

While the numbers sound staggering, it is helpful to put them in some scale; the number of cards affected account for just 0.5 percent of the nearly 700 million debit cards issued by banks in India.

Hota also noted that, so far, he believes the issue has been contained.

“Adequate precautions have been taken, information security officers of all the banks and the information security officers of all three networks are in close touch with each other,” said Hota. “There is no reason for any panic, or any kind of worry.”

When asked for comment, Visa and Mastercard both noted that their networks remain unbreached — but that they are aware of the issue and working with local authorities to resolve it.

It remains unclear whether the security breach involved card numbers and personal identification numbers only or other data.

Banking industry sources report that the problem in India issues from a feared breach in systems of Hitachi Ltd (6501.T) subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd (YESB.NS).

Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The State Bank of India said cards had been blocked after a warning by the card networks about the potentially coming cybercrime wave in the making — and the decision was made to reissue cards as a protective measure.