SBI, HDFC Bank, ICICI Bank, YES Bank and Axis Bank were among the worst. About 2.6 million affected cards are reportedly on the Visa and Mastercard platform, while 600,000 are on RuPay

Banks in India will either replace or ask users to change the security codes of as many as 3.2 million debit cards in what’s emerging as one of the biggest ever breaches of financial data in India.

Banks had been receiving multiple complaints from customers about cards being used in China at various ATMs and point of sale terminals.

The Times of India report said that the breach in the network originated from malware introduced in systems of Hitachi Payment Services, which managed card networks for Yes Bank.

A forensic audit has now been ordered by Payments Council of India on Indian bank servers and systems to detect the origin of frauds that might have hit customer accounts

HDFC Bank spokesperson said they had already taken action in the matter. “Besides advising those customers who we know have used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN, we are advising our customers to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs.”

The Times of India had reported on Wednesday that SBI would reissue 600,000 debit cards following a malware-related security breach. SBI has asked customers to change their PIN numbers as well.


  • Change the ATM PIN immediately.
  • Change your Internet Banking / transaction password. Create and maintain different passwords for log-ins and transactions. If you have more than one Internet Banking user ID, use a different password for each of them.
  • Monitor your account activity regularly by checking your balances and statements online. This helps you to detect fraudulent transactions, if any, quickly. The earlier a fraud is detected, the lesser will be its financial impact.
  • Always access your bank website by typing the URL in the address bar of your browser only
  • If you get an email asking for personal or credit/debit card information, please do not provide this information no matter how ‘genuine’ the page appears to be. Such pop-ups are most likely the result of malware infecting your computer.
  • Any bank or their representative will never send you emails to get your personal information, password or one time SMS (high security) password. Such e-mails are an attempt to fraudulently withdraw money from your account through Internet Banking.
  • Do not disclose details like passwords, debit card grid values, etc. to anyone, even if they claim to be bank employees or on e-mails/links from government bodies like RBI, I.T. Dept., etc
  • Do not share OTP with anyone, even if the person claims to be a Bank official.
  • Do not rely on the name and source in the “From” field of the email address as it may be easily manipulated by the fraudster to a valid email account of bank.
  • Report any fraudulent incident to the Bank / institution on the number mentioned on the Debit / Credit card, bank / credit card statement or official website.