ATM heist: India probes security breach
Mumbai, May 13, 2013
The Indian government's cyber watchdog is investigating how security at two companies that are part of the country's vast IT services industry was breached in a global ATM heist that saw $45 million stolen from two banks in the Middle East.
EnStage, which operates from Bangalore, and ElectraCard Services, based in Pune, processed card payments for the two banks that were hit in the theft, several people familiar with the situation said.
"We are investigating the technical aspect," Gulshan Rai, director general of the Indian Computer Emergency Response Team (CERT), part of the department of electronics and information technology, told Reuters by phone on Sunday.
"What kind of breach has happened in the system, how did it happen, what processes are in place, and the entire technical aspect we will look at," he said, adding that the agency had started its investigation on Saturday.
US prosecutors said on Thursday that hackers broke into two card processing companies, raising the balances and withdrawal limits on accounts that were then exploited in coordinated ATM withdrawals around the world.
The prosecutors did not name the two companies but said one was based in India and the other in the US.
While details of what happened are still sketchy, experts said the banks could bring claims against the processing companies in court, or they could file claims with their insurers and those of the processing companies.
According to a US official and a bank employee, who both spoke on condition of anonymity, ElectraCard Services was the company that processed prepaid travel cards for National Bank of Ras Al Khaimah (RakBank). Rakbank suffered a $5 million coordinated heist at ATMs around the world on December 21 last year, according to the US indictment.
In a statement on Sunday, ElectraCard, or ECS, said it had been affected by "fraud attacks" in December. It said investigations show that "PIN and Magnetic stripe data seem to have been compromised outside the ECS processing environment."
MasterCard bought a 12.5 percent stake in ElectraCard in 2010. MasterCard, the network under which the cards used in the heist were issued, has said its security was not compromised.
EnStage, which is incorporated in Cupertino, California, but has operations based in Bangalore, is the company that processed card payments for Bank Muscat of Oman, according to a source close to the bank. Bank Muscat lost $40 million in a coordinated heist on February 19, according to Thursday's indictment.
"Our customers were adversely affected by this sophisticated crime," EnStage CEO Govind Setlur said in a statement in the Times of India newspaper.
A statement obtained by Reuters from a company spokesman said: "Since the time the incident occurred, EnStage has retained independent security experts to analyse the intrusion and to recommend enhancements to its information security infrastructure. EnStage has implemented both these enhancements as well as additional monitoring capabilities."
Setlur was travelling and could not be reached for further comment on Sunday.
An employee at the company's office in central Bangalore who did not want to be identified said that about 250 people work in the office but did not give further details.
Bank Muscat has not commented on the case.
Police in Pune and Bangalore did not immediately have information on the matter when reached on Sunday.
The breach in security at Indian operators is a blow to the country's multi-billion dollar information technology industry, which received about half of all outsourcing contracts in the world in 2011, according to industry data.
India-based IT vendors, who rely on the trust of global clients to handle sensitive data, are dominated by companies providing support services to the global financial industry.
Eddie Schwartz, chief information security officer for RSA Inc, a firm that helps banks fight payment card fraud, said that it is not surprising that hackers would target banks that rely on Indian firms to process transactions.
Schwartz, who is based in Washington, said there is not as much government oversight in India as there is in the United States and Western Europe.
"Hackers view India as a target. It's got a fast-moving economy, a fast-moving IT infrastructure," Schwartz said. - Reuters