Data Breach in Indian Banks: a Master Theft or a Grand Fiasco?

Must Read

Explained: The Scope of Article 21 During the Era of COVID-19

“One’s right to self, their body, their health, and their livelihoods is inherent to living a meaningful human life, Human...

Why Are the Big Techs of Silicon Valley Accused of Anti-Competitive Behaviours?

The big tech giants of the Silicon Valley are facing major challenges with relation to their monopolistic powers after...

KSK announces Sanjay Kumar as a Partner for Pharma & Life Sciences Practice

New Partner for KSK's Pharma & Life Sciences Practice King Stubb & Kasiva recently announced that Mr Sanjay Kumar has...

The Debate Between IPR and Competition Law Explained

There are various market processes or structures that govern market scenario. For simplicity, this paper focuses on two mechanisms:...

The Competition Law Regime and Re-Tooling Patent Pools In India

The adversity to acquire licenses of various patented technologies can thwart the commercialization as well as the development of...

Solving Healthcare Issues Using Blockchain Technology

In troubled times that follow a pandemic, almost all nations are forced to take stock of the gaps present...

Follow us

The recent times saw one of the biggest breach in security and information (read theft) in Indian scenario of banks, about 3.2 million card holders suffered from this breach. The alleged breach is said to have occurred from the Hitachi Payment Services systems, which were infected with malware which collected and store the personal data including the card details and PIN of the card, using which further frauds were committed in various locations in US and China. The Hitachi Payment Services serve as the ATM network of Yes Bank and several other

The victims of this breach were spread across various banks, both Private and Public Sector; and different Debit Card service platforms. Bank includes the likes of State Bank of India, Yes Bank, Axis Bank, ICICI Bank and other, whereas 2.6 million cards belonged to Visa and Master Card platform and about 6 lakhs from RuPay. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016]. State Bank of India alone blocked around 6.2 lakh ATM cards. The banking sector responded by sending messages to the customers who probably would have been affected by the breach urging them to change their PIN, get their ATM cards blocked and said that the new debit cards would be issued against them. A total sum of around ₹ 1.3 crore is said to be lost but, according to the bank policies, to return the money when default was by the bank or any third party, the amount lost would be returned to the people who lost it. Though the banks are prima facie admitting that the breach has occurred they deny that their systems were affected.

Though the recent happening may seem new, they are not; the underlining fact is that this kind of theft/breach is the affairs of the day. Though not every incident is reported and certainly is not of the scale as such, there is no denying to the fact that they happen, and usually end as a tussle between the Bank and the victim.

Questions that need a Look

There are some unanswered question that need consideration; firstly breach is alleged to happen between the months of the May and July, what took this much time for the breach to come in front?

The breach took place somewhere between May and July and the information came in latter parts of the month of October when the banks (specially SBI) started to send text messages to its customer asking them to change the PINs and issuing of new debit cards, the core for this delay however lies in the non cooperation among the different banks and how they failed to share the information with other banks, which ultimately lead to this fiasco.

It is not the lack of the institutions which lead to this condition, there are institutions which were setup to look into the cases of cyber attacks, namely Institute for Development and Research in Banking Technology [IDRBT], Information Sharing and Analysis Centre [ISAC] and banks have Security Operating Centers [SOCs]. But the lack of vision and mutual coordination lead us here, each bank which received the complaints treated them in isolation and the same was dubbed as fraud and not forwarded to the ISAC and so on, and there was no conclusive prior alert. When it was realized that these were not stray incidents, the breach was already done. Most of the SOCs are understaffed and don’t employ automated systems for detection and reporting of threats. [The, India suffered a massive debit card data breach because no one connected the dots].

The second question which must be raised that why there was no prompt disclosure of the same?

Though it can be expected that a bank, or any institution which has data of a person and consecutively loses it would not like to tell the customers that it was unable to keep their data safe, but at the same time the customers have a right to know about what is happening with their information, the Indian banks though tried to keep this sensitive information about data breach and willingly chose not to disclose it to the concerned parties, which for obvious reasons is very alarming. [Javed Anwer, India Today, 32 lakh bank cards hacked: India needs data breach disclosure law and needs it now, Oct 20, 2016].

The data that was stolen/ over which breached occurred, belonged to the customers of the bank; it was their private data and every happenings related to it need to be conveyed to them, instead of the cryptic text message, what sending of those message can lead to is shifting of blame that the customer receiving the text did not complied with it and then the mistake on part of the bank and others could easily be attributed to the victim himself. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016].

What Needs to be Done

There is a need calling for changes in the present scenario if the incidents like these are needed to be controlled and contained in future.

  1. Need to strengthen the SOCs and mechanism of early detection: There is no denying to the fact that with evolution of technology, banking is also changing and becoming more technologically equipped. But at the same time, the number of hacker willing to get hold of the information is rising too, there is a critical need to empower SOCs and other institutions to deal with these treats. There is also a need to make it compulsory for the banks to have fully functional SOCs which would be bound to share information of such suspected breaches, as the present case arose due to lack of proper sharing of info.
  2. Strict laws making it mandatory to inform about breach: The USA and the EU had these laws from long time and makes it mandatory to inform about data breach. Whereas though there is a fundamental right of Right to Privacy, but there is no framework which necessitates informing about the breach of data. The time calls for the need of a law which makes it compulsory for a corporation to informed the concerned parties about the date breach. This would ultimately lead the corporations to come clean with the efforts they put in to secure the private data of their customers and thus ultimately in development of even more secure systems.
  3. Awareness Programs: The breaches of this kind are exceptions, what is common is the breach that happens usually involving a single person or a small group of persons. Most of such small scale breaches are done using some external machinery which can collect data in some form or other, most of those devices can be identified easily as they are not regular components of the ATM device. There is a need to make it compulsory for the banks to put up tutorials or some other forms to inform the customers to watch out for such devices when they use the ATMs. This simple exercise can help in reduction of the small cases which happen more often.


This story may be new in terms of the scale of the number of people who were affected, but is a scene of almost every day. Every organization has its own version of the story to tell, the banks points that there is no flaw in their systems and the breach was in Card industry, the Card platforms are saying that their systems are secure and no breach was done there.

At the same time it must be remembered that the breach could have possibly been avoided if the institutions designated for the work of keeping check showed more cooperation and opted a broad way of looking at things. In the case even if after all care the breaches do happen then the corporations involved should be made to behave in a much proper manner, at least in disclosing the customers affected about what has happened.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

Himachal Pradesh High Court Supports Promotion Based on Seniority of Post Rather Based on the Eligibility Test

In the case of Ramesh Chand Versus State of Himachal Pradesh & Others, the petitioner, reached the court as he was aggrieved by the...

NCDRC Dismisses PIL against Urologist, Holy Family Hospital, Says Mode Of Treatment Or Skill Differs From Doctor To Doctor

The National Consumer Dispute Redressal Commission (NCDRC) dismissed a petition against Holy Family Hospital and a Urologist, alleging negligence in diagnosing the septicemia and...

Himachal Pradesh High Court Disposes Suit for Possession and Permanent Prohibitory Injunction Due To Mutual Consent

In the case of Parveen Kumar vs Smt. Vijay Laxmi and Ors, the Petitioner, Parveen had filed a suit for declaration, possession and a permanent prohibitory...

Supreme Court Appoints Committee To Examine Arbitrariness of Sealing of Resorts in Elephant Corridor, Tamil Nadu

A Full Bench headed by the Chief Justice of India, in the matter of Hospitality Association of Mudumalai V. In Defence of Environment and Animals...

Madhya Pradesh High Court Rules That Export Ban on N95 Masks & PPE Kits Does Not Violate Fundamental Right of Traders

The Madhya Pradesh High Court held that the formulation and regulation of trade policies were within the subjects of the Central Government. Any reasonable...

Delhi High Court Issues Notice To Two Pleas Filed Praying for Recognition of Same-Sex Marriage

The Court heard two writ petitions which urged that the Special Marriage Act and the Foreign Marriage Act be interpreted to also apply to...

Supreme Court Allows Appeal Challenging Allahabad High Court Order Granting Interim Bail on Medical Grounds

An appeal was filed before the Supreme Court, challenging the Judgment & Order of the Allahabad High Court in the matter of State of U.P...

Bombay High Court Allows Petition Seeking Lawyers and Legal Clerks To Travel in Local Trains

The present hearing arose out of a batch of Public Interest Litigations that was filed in the Bombay High Court to permit the members...

Provisions for Retirement of Teachers Must Be Read With the Larger Interest of Students in Mind: Supreme Court

Supreme Court in Navin Chandra Dhoundiyal v State of Uttarakhand reinstated the appellants to their position as Professor on basis of re-employment till the...

Parties Cannot Deny Specific Performance Merely Due To Delay: Supreme Court

The Supreme Court, in Ferrodous Estate v P Gopirathnam, revisited the law on the specific performance of a contract. It reiterated that mere delay...

More Articles Like This

- Advertisement -