Hitachi admits to systems being compromised in 2016 leading to card scare

Hitachi Payments Services on Thursday accepted its systems were compromised by a sophisticated malware in mid-2016, that led to one of the biggest cyber security breaches in country with 3.2 million cards affected and a scare over security of card-based transactions.

The National Payments Corporation of India (NPCI) had said over 600 customers had reported losses of at least Rs 1.3 crore due to the breach.

The company, a wholly-owned subsidiary of the Japanese Hitachi, made the acknowledgement following the receipt of final assessment report from payments and information security audit firm SISA Information Security, and said it "regrets" the inconvenience caused.

In what poses more scope for worries, the company said the amount of data exfiltrated is "unascertainable due to secure deletion by the malware".

"We confirm that our security systems had a breach during mid-2016," its Managing Director Loney Anthony said, adding this happened despite following adequate security measures and adopting the standards of internationally- accepted best practices.

The compromise period has been identified between May 21 and July 11. It had come out in public after a slew of banks, including those not serviced by Hitachi, approached customers making either card replacements or ATM PIN changes compulsory.

Out then, the compromise was suspected to have happened through one of the ATMs of Yes Bank, one of the biggest clients of the company.

Yes Bank's Rana Kapoor had called for stricter vigil on the outsourced service providers following the compromise.

"There needs to be a lot more vigilance where there are outsourcing partners to make sure they don't endanger the delivery and system risk, and there's a fair amount of policing as far as outsourcing risks are concerned," he said.

"Hitachi Payment Services regrets the inconvenience caused to banks and its customers due to this lapse in its security infrastructure. We assure you of our highest commitment to building a robust infrastructure in our systems and preventing such cyber frauds in future," Anthony said.

Quoting the SISA report, the Hitachi statement said a sophisticated malware (a piece of malicious software code) was injected in Hitachi Payment Services' systems, which led to compromise the details of debit cards.

The malware had been able to "work undetected and had concealed its tracks during the compromise period", it added.

Its behaviour and penetration into the network has been deciphered, but the amount of data exfiltrated is "unascertainable", it said.

The company acknowledged the system-wide trouble, that was caused due to the lapse at its end, saying banks had to take remedial action like blocking payments at international locations, reduced withdrawal limits, asking for PIN changes and monitoring of unusual patterns.

The company said the actions limited the extent of compromise and claimed that there has not been any "further misuse due to the containment measures deployed by Hitachi Payment Services".

The RBI has been asking banks to enhance their digital security and the Hitachi statement comes a day after the central bank announced formation of an inter-disciplinary standing committee on cyber security to review threats, study security standards and suggest appropriate policy interventions.