Cyber Incident Victim: ICICI Bank Limited
Date:
Oct 2016
Location:
India
Summary
A malware attack on Hitachi Payment Services' systems compromised approximately 3.2 million debit cards, including those issued by ICICI Bank and several other major Indian financial institutions. The breach enabled unauthorized transactions, primarily in China, leading affected banks to block cards and advise customers to change PINs. A forensic audit was initiated by the Payments Council of India to determine the origin of the compromise, which was suspected to have originated from non-bank ATM networks. The malware reportedly infected systems for six weeks before detection, impacting transactions during that period. Financial institutions collaborated with payment networks Visa and MasterCard to investigate the incident while assuring customers that their own ATM networks remained secure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2016, a cybersecurity incident impacted approximately 3.2 million debit cards issued by multiple Indian banks, including ICICI Bank, State Bank of India (SBI), HDFC Bank, YES Bank, and Axis Bank. The breach originated from malware infiltrating systems operated by Hitachi Payment Services, a provider of ATM, point-of-sale (PoS), and payment processing infrastructure. Attackers leveraged this malware to compromise cardholder data over approximately six weeks, enabling unauthorized transactions. Financial institutions began detecting suspicious activity after receiving customer reports of fraudulent transactions occurring in China through both ATM withdrawals and PoS terminals. Visa and MasterCard networks processed most of the compromised transactions (2.6 million cards), while 600,000 affected cards operated on India's RuPay platform. The malware's presence went undetected for the duration of the six-week compromise window, allowing attackers to exfiltrate data from all cards processed through Hitachi's network during that period.
The Payments Council of India responded by commissioning a forensic audit of domestic banking servers and systems, executed by Bengaluru-based cybersecurity firm SISA, to determine the breach's origin. Affected banks implemented containment measures, with SBI blocking 600,000 debit cards and advising customers to change their PINs. SBI's Chief Information Officer attributed the compromise to vulnerabilities in non-SBI ATM networks, including third-party white-label ATM providers. HDFC Bank proactively notified customers who had recently used non-HDFC ATMs to change their PINs and recommended exclusive use of HDFC ATMs, citing superior security controls. NPCI Managing Director AP Hota confirmed the breach investigation was triggered by banks' reports of card misuse in China. ICICI Bank, Axis Bank, YES Bank, Visa, and MasterCard did not publicly comment on mitigation actions when queried. The incident highlighted systemic risks in third-party payment processing infrastructure and prompted large-scale card reissuance and customer notifications across the banking sector.