Cyber Incident Victim: State Bank of India
Date:
Sep 2016
Location:
India
Summary
A malware attack on Hitachi Payment Services' systems compromised approximately 3.2 million debit cards, including 2.6 million on Visa and MasterCard platforms and 600,000 on RuPay, affecting multiple banks with State Bank of India among the most impacted. The breach enabled fraudulent transactions primarily in China, leading affected institutions to block compromised cards, advise customers to change PINs, and initiate forensic audits through the Payments Council of India and security firm SISA. The malware reportedly operated undetected for six weeks, targeting non-bank ATM networks and third-party service providers, though bank-specific ATM infrastructures like SBI's were claimed to remain secure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2016, a major security breach compromised approximately 3.2 million debit cards issued by multiple Indian banks, with State Bank of India (SBI), HDFC Bank, ICICI Bank, YES Bank, and Axis Bank identified as the most severely impacted institutions. The breach was traced to malware infiltrating systems operated by Hitachi Payment Services, a provider of ATM, point-of-sale (PoS), and payment processing infrastructure. This malware enabled unauthorized actors to steal card data, which was subsequently used to conduct fraudulent transactions—primarily in China—across ATM withdrawals and PoS terminals. The compromise reportedly persisted undetected for approximately six weeks, affecting all cards processed through Hitachi’s network during that period. Of the total compromised cards, 2.6 million operated on the Visa and MasterCard networks, while 600,000 were on the RuPay platform. The breach was initially detected after multiple banks received customer complaints regarding unauthorized transactions in China, prompting alerts to Visa and MasterCard. The National Payments Corporation of India (NPCI) confirmed suspicions arose specifically from fraudulent activity occurring outside India.
In response, the Payments Council of India ordered a forensic audit of Indian banking servers and systems, conducted by Bengaluru-based firm SISA, to determine the exact origin and extent of the breach. SBI proactively blocked 600,000 debit cards and advised affected customers to change their PINs, while emphasizing that its own ATM network had not been compromised. The bank attributed the breach to vulnerabilities in non-SBI ATM networks, including third-party white-label ATM providers. HDFC Bank similarly urged customers to use only HDFC ATMs, citing superior security controls, and recommended PIN changes—particularly for those who had recently used non-HDFC ATMs. Neither Hitachi Payment Services nor the card networks (Visa, MasterCard) provided public statements regarding the incident. NPCI Managing Director AP Hota confirmed the audit would cover all payment networks despite initial fraud reports centering on Visa and MasterCard, aiming to identify systemic weaknesses. The incident highlighted risks in third-party payment processing infrastructure and spurred large-scale card reissuance efforts across affected banks.