Visa and Master-Card platform and 600,000 on the RuPay platform. The worst-hit of the card-issuing banks are State Bank of India, HDFC Bank, ICICI Bank among others.
The breach is said to have originated in malware introduced in systems of Hitachi Payment Services, enabling fraudsters to steal information allowing them to steal funds. Hitachi, which provides ATM, point of sale (PoS) and other services.
It was reported that SBI would reissue 600,000 debit cards following a malware-related security breach. SBI has asked customers to change their PIN numbers as well.
"Based on the complaints we have received, we are suspecting a compromise on the non-SBI ATM network which could include various white-label ATM service providers," SBI Chief Information Officer Mrutyunjay Mahapatra told Economic Times.
"Therefore, as a precautionary measure, we have blocked six lakh debit cards. We have assured our customers that there has not been any breach on the ATM network of SBI."
State Bank of India has started a process to block the cards of those who did not change the security code at its own cost, its spokesperson said today.
"Card network companies NPCI, MasterCard and Visa had informed various banks about a potential risk to some cards owing to a data breach. Accordingly, we have taken precautionary measures and have blocked cards of certain customers identified by the networks," SBI said in a statement this evening.
"We came to know about security breach and proactively recalled affected cards as we did not want our customers to be at any risk. There was no breach in our system. We are now issuing EMV-based debit cards which cannot be compromised," SBI deputy managing director and chief operating officer Manju Agarwal told a news agency.
She, however, declined to give the number of debit cards the bank has recalled. SBI has nearly 20 crore debit cards.
SBI further emphasised that its systems are absolutely fine and not compromised at and that existing cardholders are not at any risks.
"We are in the process of issuing new cards at no cost to those cardholders whose cards have been blocked. This is a cards industry incident and not an SBI only incident," an SBI statement said.
However, all the bankers were quick to claim that the breach has not led to any monetary losses to anyone and all the measures being taken are to safeguard the system against any potential threat.
When contacted, an RBI official said the central bank is seized of the matter and is looking into the issue.
Bankers said the problem was first discovered between May and July, and banks have resorted to recall the affected debit cards from September. "Data processes of one private bank was compromised which affected other banks' customers well. Customers who used that bank's ATM stand to get potentially affected," said another public sector banker.