The Reserve Bank of India (RBI) has imposed a fine of Rs 6 crore on YES Bank for failing to report a cyber security breach of its ATM network, and for breaching its rules regarding Income Recognition Asset Classification (IRAC). Regarding the security breach, RBI said that:

A cyber-security incident involving ATMs of the bank was also not reported by the bank within the prescribed timeframe. Based on the inspection report and other relevant documents, a Notice was issued to the bank dated July 6, 2017, followed by a supplementary notice dated August 24, 2017, advising it to show cause as to why penalty should not be imposed on it for non-compliance with directions issued by RBI. After considering the bank’s replies, oral submissions made in the personal hearings, as also the additional information and documents furnished, RBI came to the conclusion that the aforesaid charges of non-compliance with RBI directions were substantiated and warranted imposition of monetary penalty.

Last year, between May 25 and July 10 card data of an estimated 3.2 million customers were stolen from 90 YES Bank ATMs and point of sale (PoS) terminals managed by Hitachi Payment Services Pvt. Ltd. However, it wasn’t till September of last year that the extent of the breach came to light. Customers of State Bank of India (SBI), Axis Bank, ICICI Bank, and HDFC Bank, besides YES Bank were affected by this data breach. Of the debit cards affected, about 2.65 million were on the Visa and MasterCard platforms, while a further 600,000 were on National Payments Corp of India’s (NPCI) RuPay platform. According to NPCI the complaints of fraudulent withdrawal were limited to cards of 19 banks and 641 customers, amounting to about Rs 1.3 crore.

At the time, YES Bank had said that there was no breach on ATMs handled by the bank itself.

“YES BANK has proactively undertaken a comprehensive review of its ATMs, and there is no evidence of a breach or compromise on YES BANK ATMs. YES BANK continues to work with relevant stakeholders, including other public sector and private banks, and NPCI, to ensure utmost safety and security of its ATM network and payment services which are completely safe to use.”

27,000 cyber security threat incidents in the first half of 2017

In July this year, Minister of State for Electronics and IT, P P Chaudhary told Rajya Sabha that India witnessed more than 27,000 cyber security threat incidents in the first half of 2017. As per the information reported to and tracked by Indian Computer Emergency Response Team (CERT-In), the number of cyber security incidents reported were:

2014: 44,679
2015: 49,455
2016: 50,362
2017 (till June): 27,482