ADVERTISEMENT

Hitachi Owns Up To Mid-2016 Breach That Compromised 32 Lakh Debit Cards

Can’t ascertain the amount of data that was stolen in the breach, Hitachi says.



A customer uses a credit card to make a contactless payment (Photographer: Simon Dawson/Bloomberg)
A customer uses a credit card to make a contactless payment (Photographer: Simon Dawson/Bloomberg)

Hitachi Payment Services, a payment switch provider, has admitted that a sophisticated malware injected into its network led to the massive debit card breach between May and July of 2016 that resulted in the loss of information on over 32 lakh cards

The company is the wholly-owned subsidiary of Japan’s Hitachi Ltd. A payment switch provider is an entity that facilitates a transaction either from an ATM or an online payment gateway. The service provider decides to whom the request for authorisation will be sent and then transmits the request back to the merchant or the ATM where the transaction originated.

SISA Information Security, an information security audit firm based in Bengaluru had been tasked with the forensic audit of Hitachi Payment’s systems.

SISA Information Security Pvt. Ltd. has completed its final assessment report, on the reported breach of security protocols which led to the potential compromise of debit cards between May 21 2016 to July 11 2016. SISA’s report pointed out to a sophisticated injection of malware in the Hitachi Payment Services’ systems, which was able to compromise the details of these debit cards.
Hitachi Payment Systems Statement

The debit card breach first came to light when State Bank of India blocked over 6 lakh debit cards on October 14 as a preventive measure on learning that the details of these cards could have been compromised.

Hitachi said that while the behaviour of the malware and the extent of its penetration into the network was discovered, the extent of the data that was stolen between May and July could not be ascertained.

A malware is a malicious software code, that generally remains undetected for long periods of time within a network.

The National Payments Corporation of India (NPCI), in a statement in October, had said that fraudulent withdrawals that followed the breach of information was limited to 19 banks and 641 customers. The amount reported by various banks to the NPCI was a total of Rs 1.3 crore.

Loney Antony, Hitachi Payment System’s managing director said in a media statement that the breach took place despite the company adopting the standards of internationally accepted best practices in the business.

“Hitachi Payment Services regrets the inconvenience caused to banks and its customers due to this lapse in its security infrastructure. We assure you of our highest commitment to building a robust infrastructure in our systems and preventing such cyber frauds in future,” he said.