Hitachi Payments Services owns-up to 2016 breach in India, says amount of data exfiltrated “unascertainable”

Hitachi Payments Services has accepted its systems were compromised by a sophisticated malware in 2016, which triggered one of the biggest cyber security breaches in India.

The massive security breach had affected 3.2 million cards. The National Payments Corporation of India (NPCI) had stated more than 600 customers had reported losses of at least Rs 1.3 crore due to the breach.

Hitachi Payments Services, a wholly-owned subsidiary of the Japanese Hitachi, acknowledged the breach after it received final assessment report from payments and information security audit firm SISA Information Security.

In what poses more scope for worries, the company said the amount of data exfiltrated is "unascertainable due to secure deletion by the malware".

"We confirm that our security systems had a breach during mid-2016," its Managing Director Loney Anthony said, adding this happened despite following adequate security measures and adopting the standards of internationally- accepted best practices.

The compromise period has been identified between May 21 and July 11. It had come out in public after a slew of banks, including those not serviced by Hitachi, approached customers making either card replacements or ATM PIN changes compulsory.

"Hitachi Payment Services regrets the inconvenience caused to banks and its customers due to this lapse in its security infrastructure. We assure you of our highest commitment to building a robust infrastructure in our systems and preventing such cyber frauds in future," Anthony said.

Quoting the SISA report, the Hitachi statement said a sophisticated malware (a piece of malicious software code) was injected in Hitachi Payment Services' systems, which led to compromise the details of debit cards.

The malware had been able to "work undetected and had concealed its tracks during the compromise period", it added.