MUMBAI — Sparking a pre-Diwali panic among consumers, over three million debit cards of various banks are believed to be 'tainted' following a suspected security breach, even as investigations have begun into the reasons behind the security risk, officials said.
The problem has hit mainly debit cards, and several banks have already started blocking their customers' debit cards and re-issuing fresh ones to them free of cost.
This could take around a week, leaving barely any time for people wanting to do Diwali shopping or go on vacations.
An estimated 3,000,000-plus debit cards issued by various public or private banks are said to have been exposed to a potential risk of data breach.
Barring assurances to the customers, most banks have not yet disclosed the numerical or geographical extent of debit cards that may have been compromised, and loss of data or money, if any, suffered by customers.
Debit or credit cards are prone to security issues when unauthorized parties gain access to the confidential data embedded on them, even as it is being swiped in an automatic teller machine.
A bank official said that customers are particularly sensitive about their debit cards which are directly linked to either salary or savings accounts. Stolen data can lead to immediate unauthorized debiting of funds from their accounts, with the cascading effect hitting their daily routines, utilities and other types of regular payments.
The problems were detected around six weeks back, prompting the National Payments Corporation of India, Mumbai, which controls all the retail payments systems in the country to declared early September that there "is no compromise at NPCI and our systems are fully safe and secure."
NPCI handles over 25 million transactions daily, including RuPay cards, of which more than 290 million are currently in circulation.
In the current scenario, the SBI alone has blocked more than 600,000 debit cards while assuring that the malware-related security breach was reportedly detected in the non-SBI ATM network.
It justified the move to ensure customers' confidential personal data is not compromised while swiping in ATMs for various transactions.
One of the card network companies, MasterCard, said Oct. 20 that its "own systems have not been breached."
"We are working on the investigations with the regulators, issuers, acquirers, global and local law enforcement agencies and third party payment networks to assess the current situation," a MasterCard spokesperson said.
It has advised the consumers to review their account statements and activity, and if any unusual or fraudulent transactions are suspected, they should contact the concerned bank for more assistance.
According to banking circles, several other banks have also experienced similar problems as a few ATMs have been hit by a malware which has a high potential to compromise customers data.
Besides SBI, other major banks which have been hit include ICICI, HDFC, Axis and Yes Bank, and roughly two-thirds of the affected cards belong to MasterCard and Visa, and the rest to RuPay.
Anxious customers have started enquiring with their respective banks as to the seriousness of the problems, whether their personal data has leaked out and if that could lead to financial implications, especially with the year's biggest festival at the doorstep.
On Wednesday evening, the SBI said it had blocked cards of certain customers identified by the networks as a precautionary measure, though it did not reveal the exact number of cardholders who would be hit.
Sympathising with the customers, the banks have asked them to change their ATM PINs, avoid using other banks' ATMs, or stick to Internet/online (on laptops/PCs) banking, as immediate damage-control measures.
The SBI, HDFC and ICICI have assured that their own systems have not been compromised as they deploy high-level of security measures and hence, existing cardholders can continue to use their cards as usual without any risks.