The data breach at 19 Indian banks that has led to more than 32 lakh debit cards being blocked or recalled is a wake-up call for the banking industry. While the actual number of complaints received so far, 641, and the sum of money that appears to have been fraudulently withdrawn, Rs.1.3 crore, are both small relative to the scale of the potential data theft, it is disconcerting that it has taken almost six months for the system to officially acknowledge the incidents and initiate steps to address them. It is all the more galling since the Reserve Bank of India and its top officials have been urging bankers for quite some time to accord urgent priority to cyber security. A private bank appears to have been a point of entry for the data criminals who, according to reports, may have infiltrated using malware at ATMs operated by a third-party payment services vendor. The National Payments Corporation of India has been coordinating investigations into the incident, and a forensic audit is expected to reveal preliminary findings soon. For the government and the banking regulator, much is at stake as the two have sought to move in concert to harness the digital revolution to advance socio-economic policy objectives. These include increasing financial inclusion, better targeting of subsidies through the direct benefit payments model, improving economic efficiency by lowering transaction costs, and moving toward a cashless economy so as to reduce the circulation of black money and curb tax evasion.
In this context, former RBI Governor Raghuram Rajan’s comment at a recent banking technology conference is instructive: “Payment systems are the plumbing of the financial system; so long as there is no leakage or clogging, we are unaware of their functioning. But when they do back up, the situation becomes catastrophic quickly.” With banks in India having embraced technological change, the onus is on them to integrate inter-generational legacy systems across branches, ATMs and online banking networks into one seamless and secure whole. The Carbanak cyber gang’s coordinated and widespread attack, which is estimated to have cost about 100 financial institutions worldwide $1 billion, revealed that today’s criminals are using more and more sophisticated tools to access computer systems at banks. As these may gestate for several months before manifesting themselves, banks can ill-afford to be complacent and approach incidents such as the latest debit card data breach with band-aid solutions. Top managements at lenders should reappraise their cyber culture, heed warnings and alerts promptly, and address shortcomings.