By Devidutta Tripathy
MUMBAI (Reuters) - A slew of banks in India are replacing or asking their customers to change security codes of as many as 3.25 million debit cards due to fears that the card data may have been stolen in one of the country's largest-ever cyber security incidents.
Card network providers Visa <V.N>, MasterCard <MA.N>, and home-grown RuPay run by the National Payments Corp of India (NPCI) swung into action in September after receiving complaints from some banks that their clients' cards had been fraudulently used mainly in China and the United States even though they were in India, said the chief of NPCI, which also runs the biggest network of shared ATMs.
There was a possible compromise of one of the payment switch provider's systems, NPCI Chief Executive A.P. Hota said in a statement. A switch is part of the back-end network aiding ATM operations.
Hota said the card network providers had alerted all affected banks and the advice to banks to replace cards was a "preventive exercise", adding: "Necessary corrective actions already have been taken and hence there is no reason for bank customers to panic."
Of the debit cards affected, about 2.65 million are on Visa and MasterCard platforms, while 600,000 are on RuPay, Hota earlier told CNBC TV18, adding the breach involved some 90 ATMs.
Visa and Mastercard said in separate statements their own networks had not been compromised, but they were aware of the issue and were working with banks, regulators and others to support investigations.
While the potential breach impacts a large number of debit card holders, the number of cards affected accounts for just 0.5 percent of the nearly 700 million debit cards issued by banks in India.
While the NPCI did not name the payment switch provider whose systems it found had been compromised, banking industry sources with direct knowledge said the issue stemmed from a breach in systems of Hitachi Ltd <6501.T> subsidiary Hitachi Payment Services, which manages ATM network processing for Yes Bank Ltd <YESB.NS>.
The sources were not authorised to speak with media on the matter and so declined to be identified.
Yes Bank said in a statement on Thursday it had proactively undertaken a review of its ATMs and found no evidence of any breach. The bank said it continued to work with other banks and the NPCI to ensure safety and security of its ATM network and payment services.
A Hitachi spokeswoman said it was investigating the matter, including whether there was a malware problem, adding it had no further comment at this time.
State Bank of India <SBI.NS>, the nation's top lender, said it had blocked cards of certain customers after being informed by card network providers about a breach outside its network and it was replacing those cards as a proactive measure.
The bank has found about 620,000 of its more than 200 million cards "vulnerable", Mrutyunjay Mahapatra, a deputy managing director at SBI, told Reuters, but added he did not expect any significant financial loss.
Complaints of fraudulent cash withdrawals affected a total 641 customers of 19 banks, and the money involved was 13 million rupees ($194,612), according to NPCI.
ICICI Bank <ICBK.NS>, HDFC Bank <HDBK.NS> and Axis Bank <AXBK.NS> - the top three private sector lenders - confirmed in separate statements some of their customers' card accounts had been possibly breached after use at outside ATMs. The banks said they had advised the clients to change their PINs.
Standard Chartered's <STAN.L> Indian unit has also begun to re-issue debit cards for some customers, according to messages sent to clients. The bank said it replaced possibly affected cards as a "precautionary measure" to ensure that customers' financial security is not compromised, adding there was no breach across its own network.
($1 = 66.7995 Indian rupees)
(Reporting by Devidutta Tripathy; Additional reporting by Suvashree Dey Choudhury and Katsuro Kitamatsu; Editing by Christopher Cushing and Elaine Hardcastle)