Remember the debit card fraud that took place between 21 May and 11 July 2016, where card information of at least 3.2 million customers were reported stolen from the network of Yes Bank ATMs? The systems were managed by Hitachi Payment Services and today, Hitachi has released a statement regarding the incident.
As per the statement, the humongous debit card data breach was actually the work of a malware injection in Hitachi’s systems. The firm also said that they were not aware of how much data actually got leaked in the incident.
In a statement released on Thursday, the payment service company confessed that a “sophisticated injection of malware” was found in Hitachi’s system which was audited by SISA Information Security Pvt. Ltd.
As per a press release from Hitachi:
The malware, being sophisticated in its design, had been able to work undetected and had concealed its tracks during the compromise period. While the behaviour of the malware and the penetration into the network has been deciphered, the amount of data breached during the compromise period cannot be ascertained due to secure deletion by the malware.
Though the incident took place between May and July of 2016, the extent of the breach was only discovered in September by the Bank and the payment service. SISA was handed over the responsibility of conducting an elaborate forensic audit of the system and the recent findings are a result of the same.
Loney Antony, Managing Director, Hitachi Payment Services told:
Despite following adequate security measures and adopting the standards of internationally accepted best practices in the business, we confirm that our security systems had a breach during the middle of last year. As soon as the breach was discovered, we followed due process and immediately informed the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), banks and card schemes. We also partnered with banks to ensure the safety of their customers’ sensitive data. As a result, the extent of compromise was limited and we have not seen any further misuse due to the containment measures deployed by Hitachi Payment Services.