The recent times saw one of the biggest breach in security and information (read theft) in Indian scenario of banks, about 3.2 million card holders suffered from this breach. The alleged breach is said to have occurred from the Hitachi Payment Services systems, which were infected with malware which collected and store the personal data including the card details and PIN of the card, using which further frauds were committed in various locations in US and China. The Hitachi Payment Services serve as the ATM network of Yes Bank and several other
The victims of this breach were spread across various banks, both Private and Public Sector; and different Debit Card service platforms. Bank includes the likes of State Bank of India, Yes Bank, Axis Bank, ICICI Bank and other, whereas 2.6 million cards belonged to Visa and Master Card platform and about 6 lakhs from RuPay. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016]. State Bank of India alone blocked around 6.2 lakh ATM cards. The banking sector responded by sending messages to the customers who probably would have been affected by the breach urging them to change their PIN, get their ATM cards blocked and said that the new debit cards would be issued against them. A total sum of around ₹ 1.3 crore is said to be lost but, according to the bank policies, to return the money when default was by the bank or any third party, the amount lost would be returned to the people who lost it. Though the banks are prima facie admitting that the breach has occurred they deny that their systems were affected.
Though the recent happening may seem new, they are not; the underlining fact is that this kind of theft/breach is the affairs of the day. Though not every incident is reported and certainly is not of the scale as such, there is no denying to the fact that they happen, and usually end as a tussle between the Bank and the victim.
Questions that need a Look
There are some unanswered question that need consideration; firstly breach is alleged to happen between the months of the May and July, what took this much time for the breach to come in front?
The breach took place somewhere between May and July and the information came in latter parts of the month of October when the banks (specially SBI) started to send text messages to its customer asking them to change the PINs and issuing of new debit cards, the core for this delay however lies in the non cooperation among the different banks and how they failed to share the information with other banks, which ultimately lead to this fiasco.
It is not the lack of the institutions which lead to this condition, there are institutions which were setup to look into the cases of cyber attacks, namely Institute for Development and Research in Banking Technology [IDRBT], Information Sharing and Analysis Centre [ISAC] and banks have Security Operating Centers [SOCs]. But the lack of vision and mutual coordination lead us here, each bank which received the complaints treated them in isolation and the same was dubbed as fraud and not forwarded to the ISAC and so on, and there was no conclusive prior alert. When it was realized that these were not stray incidents, the breach was already done. Most of the SOCs are understaffed and don’t employ automated systems for detection and reporting of threats. [The Scroll.in, India suffered a massive debit card data breach because no one connected the dots].
The second question which must be raised that why there was no prompt disclosure of the same?
Though it can be expected that a bank, or any institution which has data of a person and consecutively loses it would not like to tell the customers that it was unable to keep their data safe, but at the same time the customers have a right to know about what is happening with their information, the Indian banks though tried to keep this sensitive information about data breach and willingly chose not to disclose it to the concerned parties, which for obvious reasons is very alarming. [Javed Anwer, India Today, 32 lakh bank cards hacked: India needs data breach disclosure law and needs it now, Oct 20, 2016].
The data that was stolen/ over which breached occurred, belonged to the customers of the bank; it was their private data and every happenings related to it need to be conveyed to them, instead of the cryptic text message, what sending of those message can lead to is shifting of blame that the customer receiving the text did not complied with it and then the mistake on part of the bank and others could easily be attributed to the victim himself. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016].
What Needs to be Done
There is a need calling for changes in the present scenario if the incidents like these are needed to be controlled and contained in future.
- Need to strengthen the SOCs and mechanism of early detection: There is no denying to the fact that with evolution of technology, banking is also changing and becoming more technologically equipped. But at the same time, the number of hacker willing to get hold of the information is rising too, there is a critical need to empower SOCs and other institutions to deal with these treats. There is also a need to make it compulsory for the banks to have fully functional SOCs which would be bound to share information of such suspected breaches, as the present case arose due to lack of proper sharing of info.
- Strict laws making it mandatory to inform about breach: The USA and the EU had these laws from long time and makes it mandatory to inform about data breach. Whereas though there is a fundamental right of Right to Privacy, but there is no framework which necessitates informing about the breach of data. The time calls for the need of a law which makes it compulsory for a corporation to informed the concerned parties about the date breach. This would ultimately lead the corporations to come clean with the efforts they put in to secure the private data of their customers and thus ultimately in development of even more secure systems.
- Awareness Programs: The breaches of this kind are exceptions, what is common is the breach that happens usually involving a single person or a small group of persons. Most of such small scale breaches are done using some external machinery which can collect data in some form or other, most of those devices can be identified easily as they are not regular components of the ATM device. There is a need to make it compulsory for the banks to put up tutorials or some other forms to inform the customers to watch out for such devices when they use the ATMs. This simple exercise can help in reduction of the small cases which happen more often.
This story may be new in terms of the scale of the number of people who were affected, but is a scene of almost every day. Every organization has its own version of the story to tell, the banks points that there is no flaw in their systems and the breach was in Card industry, the Card platforms are saying that their systems are secure and no breach was done there.
At the same time it must be remembered that the breach could have possibly been avoided if the institutions designated for the work of keeping check showed more cooperation and opted a broad way of looking at things. In the case even if after all care the breaches do happen then the corporations involved should be made to behave in a much proper manner, at least in disclosing the customers affected about what has happened.