Cyber Incident Victim: HDFC Bank
Date:
Oct 2016
Location:
India
Summary
A malware breach impacting Hitachi Payment Services compromised approximately 3.2 million debit cards, including those issued by HDFC Bank and several other major financial institutions. The malware, active for roughly six weeks, enabled unauthorized access to card data, leading to fraudulent transactions primarily in China. Affected banks responded by blocking compromised cards, advising customers to change PINs, and urging the use of their own ATMs due to perceived security weaknesses in third-party networks. The Payments Council of India initiated a forensic audit to determine the breach's origin, while banks collaborated with payment networks Visa and MasterCard to investigate the incident. The compromise predominantly affected cards on international payment platforms, with a smaller subset on the domestic RuPay network also impacted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2016, a cybersecurity breach compromised approximately 3.2 million debit cards issued by multiple Indian banks, including HDFC Bank, State Bank of India (SBI), ICICI Bank, YES Bank, and Axis Bank. The breach originated from malware introduced into the systems of Hitachi Payment Services, a provider of ATM, point-of-sale (PoS), and other banking infrastructure services. This malware enabled attackers to steal debit card information, including details necessary to conduct unauthorized transactions. The compromised cards included 2.6 million on the Visa and MasterCard networks and 600,000 on the RuPay platform. The malware infection persisted undetected for approximately six weeks, during which attackers harvested data from transactions processed through Hitachi’s network. Suspicion arose when banks began receiving customer complaints about fraudulent transactions occurring in China, including unauthorized ATM withdrawals and PoS usage. Visa and MasterCard were alerted by the affected banks, prompting further investigation.
The Payments Council of India ordered a forensic audit of Indian bank servers and systems to determine the breach’s origin and scope, with Bengaluru-based firm SISA conducting the analysis. SBI proactively blocked 600,000 compromised debit cards and advised customers to change their PINs, attributing the breach to vulnerabilities in non-SBI ATM networks, including third-party white-label ATM providers. HDFC Bank similarly urged customers to use only HDFC ATMs, citing concerns about weaker security controls at other banks’ ATMs, and advised PIN changes for customers who had recently used non-HDFC ATMs. NPCI Managing Director AP Hota confirmed the breach primarily affected Visa and MasterCard networks but emphasized the need for a comprehensive audit of all payment systems. Neither Hitachi Payment Services nor Visa, MasterCard, ICICI Bank, Axis Bank, or YES Bank provided public comments in response to initial queries. The incident highlighted systemic risks in third-party payment processing infrastructure and triggered large-scale card reissuance and customer notifications across multiple institutions.