Data Breach in Indian Banks: a Master Theft or a Grand Fiasco?

Must Read

What is the Real Estate (Regulation and Development) Act, 2016?

The Real Estate (Regulation and Development) Act, 2016 (“RERA”) is an Act of the Parliament. It seeks to protect...

Should the Exorbitant Amounts Charged for RT-PCR Tests be Refunded?

Introduction A plea has been filed in the Honourable Supreme Court of India seeking a refund of exorbitant amounts charged...

Should CCTV’s be Installed in the Police Station?

Introduction In a recent judgment, the bench led by Justice Nariman issued directions to both the state and Union Territory...

A Legal Analysis of the West Bengal Political Crisis on IPS Deputation

The Ministry of Home Affairs (MHA) has recently summoned three IPS officers of West Bengal (WB). The decision was...

Explained: Postal Ballot for NRIs

At the end of November 2020, Election Commission sent a proposal to the law ministry to amend the Representation...

Explained: Constitutional Provisions and Legislations With Regards to a Person with Disabilities

The world celebrates December 3 as International Day of Persons with Disabilities (IDPD). This day is also called World...

Follow us

The recent times saw one of the biggest breach in security and information (read theft) in Indian scenario of banks, about 3.2 million card holders suffered from this breach. The alleged breach is said to have occurred from the Hitachi Payment Services systems, which were infected with malware which collected and store the personal data including the card details and PIN of the card, using which further frauds were committed in various locations in US and China. The Hitachi Payment Services serve as the ATM network of Yes Bank and several other

The victims of this breach were spread across various banks, both Private and Public Sector; and different Debit Card service platforms. Bank includes the likes of State Bank of India, Yes Bank, Axis Bank, ICICI Bank and other, whereas 2.6 million cards belonged to Visa and Master Card platform and about 6 lakhs from RuPay. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016]. State Bank of India alone blocked around 6.2 lakh ATM cards. The banking sector responded by sending messages to the customers who probably would have been affected by the breach urging them to change their PIN, get their ATM cards blocked and said that the new debit cards would be issued against them. A total sum of around ₹ 1.3 crore is said to be lost but, according to the bank policies, to return the money when default was by the bank or any third party, the amount lost would be returned to the people who lost it. Though the banks are prima facie admitting that the breach has occurred they deny that their systems were affected.

Though the recent happening may seem new, they are not; the underlining fact is that this kind of theft/breach is the affairs of the day. Though not every incident is reported and certainly is not of the scale as such, there is no denying to the fact that they happen, and usually end as a tussle between the Bank and the victim.

Questions that need a Look

There are some unanswered question that need consideration; firstly breach is alleged to happen between the months of the May and July, what took this much time for the breach to come in front?

The breach took place somewhere between May and July and the information came in latter parts of the month of October when the banks (specially SBI) started to send text messages to its customer asking them to change the PINs and issuing of new debit cards, the core for this delay however lies in the non cooperation among the different banks and how they failed to share the information with other banks, which ultimately lead to this fiasco.

It is not the lack of the institutions which lead to this condition, there are institutions which were setup to look into the cases of cyber attacks, namely Institute for Development and Research in Banking Technology [IDRBT], Information Sharing and Analysis Centre [ISAC] and banks have Security Operating Centers [SOCs]. But the lack of vision and mutual coordination lead us here, each bank which received the complaints treated them in isolation and the same was dubbed as fraud and not forwarded to the ISAC and so on, and there was no conclusive prior alert. When it was realized that these were not stray incidents, the breach was already done. Most of the SOCs are understaffed and don’t employ automated systems for detection and reporting of threats. [The, India suffered a massive debit card data breach because no one connected the dots].

The second question which must be raised that why there was no prompt disclosure of the same?

Though it can be expected that a bank, or any institution which has data of a person and consecutively loses it would not like to tell the customers that it was unable to keep their data safe, but at the same time the customers have a right to know about what is happening with their information, the Indian banks though tried to keep this sensitive information about data breach and willingly chose not to disclose it to the concerned parties, which for obvious reasons is very alarming. [Javed Anwer, India Today, 32 lakh bank cards hacked: India needs data breach disclosure law and needs it now, Oct 20, 2016].

The data that was stolen/ over which breached occurred, belonged to the customers of the bank; it was their private data and every happenings related to it need to be conveyed to them, instead of the cryptic text message, what sending of those message can lead to is shifting of blame that the customer receiving the text did not complied with it and then the mistake on part of the bank and others could easily be attributed to the victim himself. [Sachin Dave, Saloni Shukla; The Economic Times, Banks reboot security, some to refund money to customers, Oct 21, 2016].

What Needs to be Done

There is a need calling for changes in the present scenario if the incidents like these are needed to be controlled and contained in future.

  1. Need to strengthen the SOCs and mechanism of early detection: There is no denying to the fact that with evolution of technology, banking is also changing and becoming more technologically equipped. But at the same time, the number of hacker willing to get hold of the information is rising too, there is a critical need to empower SOCs and other institutions to deal with these treats. There is also a need to make it compulsory for the banks to have fully functional SOCs which would be bound to share information of such suspected breaches, as the present case arose due to lack of proper sharing of info.
  2. Strict laws making it mandatory to inform about breach: The USA and the EU had these laws from long time and makes it mandatory to inform about data breach. Whereas though there is a fundamental right of Right to Privacy, but there is no framework which necessitates informing about the breach of data. The time calls for the need of a law which makes it compulsory for a corporation to informed the concerned parties about the date breach. This would ultimately lead the corporations to come clean with the efforts they put in to secure the private data of their customers and thus ultimately in development of even more secure systems.
  3. Awareness Programs: The breaches of this kind are exceptions, what is common is the breach that happens usually involving a single person or a small group of persons. Most of such small scale breaches are done using some external machinery which can collect data in some form or other, most of those devices can be identified easily as they are not regular components of the ATM device. There is a need to make it compulsory for the banks to put up tutorials or some other forms to inform the customers to watch out for such devices when they use the ATMs. This simple exercise can help in reduction of the small cases which happen more often.


This story may be new in terms of the scale of the number of people who were affected, but is a scene of almost every day. Every organization has its own version of the story to tell, the banks points that there is no flaw in their systems and the breach was in Card industry, the Card platforms are saying that their systems are secure and no breach was done there.

At the same time it must be remembered that the breach could have possibly been avoided if the institutions designated for the work of keeping check showed more cooperation and opted a broad way of looking at things. In the case even if after all care the breaches do happen then the corporations involved should be made to behave in a much proper manner, at least in disclosing the customers affected about what has happened.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest News

Parents of Road Accident Victim Entitled To Compensation: Delhi High Court

Justice JR Midha said, “Even if parents are not dependent on their children at the time of an accident, they will certainly be dependent, both financially and emotionally, upon them at the later stage of their life, as the children were dependent upon their parents in their initial years.”

Plea Challenging the AIBE Rules Framed by BCI Filed in the Supreme Court

A Writ Petition was presently filed in the Supreme Court by a newly enrolled lawyer challenging the All India Bar Examination Rules 2010 which have been framed by the Bar Council of India which mandates that an advocate has to qualify for the All India Bar Examination (AIBE) to practice law after enrollment.

Bombay High Court: Mere Presence at the Crime Scene Not Enough for Punishment

The Bombay High Court ruled that it cannot be considered a crime if a person is merely present at the crime scene which falls under the Maharashtra Prohibition of Obscene Dance in Hotels and Restaurants and Bar Rooms and Protection of Dignity of Women Act 2016. It also quashed two First Information Reports (FIR) against two individuals who were arrested in a raid at a dance bar by the Santacruz Police, in 2017.

CAIT Files a Plea Against WhatsApp’s New Privacy Policy in the Supreme Court

Confederation of All India Traders (CAIT) has filed a petition against WhatsApp’s new privacy rules in the Supreme Court. The petition says that WhatsApp which is known to render public services by providing a platform to communicate has recently imposed a privacy policy that is unconstitutional, which not only goes against the fundamental rights of citizens but also jeopardizes the national security of our country.

RTI Activist Files a Plea in Bombay High Court Against Bharat Biotech’s Covaxin

On Saturday, a plea has been filed before the Bombay High Court by an activist stating that Bharat Biotech Covaxin had not been granted full approval but a restricted use in clinical trials according to the Drugs Comptroller General of India. The Company's phase 3 trials are ongoing and the DGCI has not made any data available in the public domain for peer- review by independent scientists.

WhatsApp Emails Delhi HC Judge Asking Her Not To Hear the Plea Challenging New Privacy Policy

The Delhi High Court raised strong objection to an E-mail sent by WhatsApp asking a judge not to hear the plea which challenges its new privacy policy. Justice Pratibha Singh said that the e-mail that was withdrawn later was totally unwarranted as she was anyway going to recuse from hearing the plea which was filed by Rohilla Chaitanya who contends that the new privacy policy of WhatsApp provides 360-degree access to a customer’s virtual activity and is against the fundamental right of privacy.

TRP Scam Case: Bombay HC Extends Protection To Arnab Goswami and Other Employees Till the Next Hearing

On Friday, the Bombay High court extended the protection that was given, to Republic TV’s Editor in Chief Arnab Goswami and other employees of ARG Outlier Media Private Limited till January 29th in the alleged case of Television Rating Point manipulation. A status report was submitted by the police to the division bench of Justices S.S.Shinde and Manish Pitale by the Police on the ongoing case.

Plea Seeks FIR Against Maharashtra Minister Dhananjay Munde in Bombay HC for False Info

A plea has been filed in Bombay High Court seeking an FIR against Maharashtra minister Dhananjay Munde who is undergoing times of trouble due to his extra-marital affair. Recently, an FIR had been lodged against Munde by a woman, accusing him of raping her sister. Munde clarified that he was actually in a relationship with that woman and had two children. He accused the two women of blackmailing him.

Writ Petition for Compensation Accepted by Calcutta High Court 

Introduction The Petitioner Purna Ch. Biswas filed a Writ Petition with the complaint that their claims for a higher quantum of compensation have not yet...

No Members Could Be Disqualified Without Authorisation by Political Party: Gujarat High Court

Excerpt The dispute application no.7 of 2020 filed by respondent no.2 before designated authority. Thereafter the designated authority order dated 28.10.2020 disqualified the petitioner and...

More Articles Like This

- Advertisement -