Cyber Incident Victim: YES Bank
Date:
Sep 2016
Location:
India
Summary
A malware intrusion in Hitachi Payment Services' systems compromised approximately 3.2 million debit cards across multiple banks, including YES Bank, enabling unauthorized transactions over a six-week period. Fraudulent activities primarily occurred through Visa and MasterCard networks, with reports of cards being misused in China, prompting banks to block affected cards, advise PIN changes, and recommend using their own ATMs due to security concerns. The Payments Council of India initiated a forensic audit to trace the breach origin, while impacted institutions emphasized no internal network compromises despite evidence pointing to vulnerabilities in third-party ATM providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2016, a major security breach compromised approximately 3.2 million debit cards issued by several Indian banks, including YES Bank, State Bank of India (SBI), HDFC Bank, ICICI Bank, and Axis Bank. The breach originated from malware introduced into the systems of Hitachi Payment Services, a provider of ATM, point-of-sale (PoS), and other payment infrastructure services. This malware enabled unauthorized actors to steal card information, which was subsequently used to conduct fraudulent transactions. Of the compromised cards, 2.6 million operated on the Visa and MasterCard networks, while 600,000 were on the RuPay platform. The malware infection persisted undetected for approximately six weeks, affecting transactions processed during this period across Hitachi’s network. Banks began receiving customer complaints about unauthorized transactions occurring in China, including withdrawals from ATMs and purchases at PoS terminals. These reports prompted alerts to Visa and MasterCard, which subsequently led to a broader investigation. The Payments Council of India ordered a forensic audit of Indian bank servers and systems to identify the source of the compromise, with the audit conducted by Bengaluru-based payment security firm SISA. The National Payments Corporation of India (NPCI) confirmed suspicions arose after banks reported cards being misused in China, though the exact entry point of the breach remained under investigation at the time of reporting.
Affected banks implemented varying containment measures. SBI blocked 600,000 debit cards and initiated a reissuance process, advising customers to change their PINs and attributing the compromise to non-SBI ATM networks, including third-party white-label ATM providers. HDFC Bank proactively contacted customers who had recently used non-HDFC ATMs, urging them to change their PINs and recommending exclusive use of HDFC ATMs due to perceived security deficiencies in other banks’ terminals. YES Bank, ICICI Bank, and Axis Bank did not publicly disclose specific remedial actions, with all three institutions declining to respond to media inquiries about the incident. The breach underscored systemic vulnerabilities in interbank ATM networks, with Hitachi Payment Services’ role as a common service provider amplifying the incident’s scope. Financial impacts included direct losses from fraudulent transactions, card reissuance costs, and operational disruptions during the forensic audit. Customer trust was further strained by banks’ divergent communication strategies, with some institutions like HDFC and SBI issuing advisories while others remained silent. The incident marked one of India’s largest card data compromises at the time, highlighting critical dependencies on third-party payment processors and the need for enhanced network monitoring.