Card Not Present Fraud , Governance & Risk Management , Incident & Breach Response
India's Largest Card Compromise: Has The Dust Settled?
A Hot Potato a Week Ago, the Industry Seems to Have Moved onA week before Diwali, we witnessed a whodunit in the Indian Infosec space which I'd like to call "the immaculate conception of a malware attack" - an incident that has caused the biggest payment card data compromise in the history of Indian banking. And yet no one seems to be responsible (see: 3.2 Million Indian Debit Cards at Risk).
I say "immaculate conception" because every bank known to be at risk claimed they were not the source of the compromise. Everyone seems to have the best and most secure systems.
The 3.2 million question here is: Where this compromise - that has unseated the entire industry - originated? No one has been fired, and I await the award season to see who will be crowned Top CISO/CIO.
Business leaders are clueless and unwilling to see reality, being primarily interested in budget cuts. Effectively, the cyber/information security function is still considered a pain by them all. But now that the consequences have come home to roost, everyone is hurting (see: Debit Card Compromise: A Call to Action).
Law Enforcement Absent
It seems to me that Indian banks consider themselves above the law. Take the Axis bank case: A public announcement was made by them just a day before this debit card furore - Oct. 19 - that they have been hacked. They were reportedly informed by Kaspersky Labs of a leak that they decided merited further investigation. They informed the Reserve Bank of India and appointed E&Y as investigators.
However, no one, including their Big Four consultant, seems to have told Axis that a breach is a crime and the systems cannot be touched until law enforcement has been brought into the picture. There was a whisper from the corridors of the LEA that they are going to join the investigation. But no further information is available.
The fact is that this is a criminal issue and not an internal systems issue, as it is usually painted out to be. Unless an FIR is filed and law enforcement involved, irrespective of whether the investigations commissioned by the banks find the culprits, the report findings will not be admissible in the court of law.
I will say, however, that a public announcement by a bank is a good precedent and must have taken guts. But news of this debit card compromise seems to have broken just in time to save the bank's proverbial bacon.
This hack is very different from the debit card issue, and Axis or EY must issue an advisory. Bank investors and account holders need to know how good their security posture is and what has happened.
Where are the Ombudsmen?
Amidst this uproar, it is strange to find CERT, NCIIPC, NCSC all maintaining silence. The Finance Ministry issued a statement assuring consumers to not worry, which is ironic, considering that this disaster probably gave bank chairmen sleepless nights.
But I am not surprised. NPCI's official statement said customers of only 19 banks and only 641 cards out of the 3.2 million tranche were affected by fraud to the tune of Rs 1.3 crore. Bear in mind that these institutions are used to seeing Rs 7500 crores fly out of the country and still say "all is well".
What I find surprising and suspicious is that the big guns - Finance ministry, RBI, et al - have come out in the television, print and online media trying to assure citizens over what is a relatively minuscule figure in the scheme of things - certainly not 7500 crores!.
So to me there is more to this than is being said or shared. Is that why no police complaint has been filed, because if they do then they have to make a more detailed statement? The cardinal rule of crisis management is having a single honest and credible point of contact. In my opinion, the claims and statements out there right now stink and need to be called out by someone in authority.
Breach Disclosure is Need of the Hour
The dust has settled and also seems to have been brushed under the carpet. It would demonstrate some maturity in crisis management if RBI issued a weekly or daily update. However, after the last press release the regulator just asked all banks to shut up, so, now no one is talking.
Does this silence mean that everything is under control? Have the bankers justified the expense for replacement of 3.2 million cards? Have the 641 accounts been compensated? What is the RBI now doing about their magnanimous September circular? Sad to say this seems to be the stuff that comprises the ethos of governance, risk and compliance in these hallowed chambers.
It is disheartening to see the veil of secrecy around everything that banks, government or regulators are doing. While I am not saying that every bit of information should be disclosed in public, this total vacuum is impeding the industry as a whole.
Every threat or vulnerability that is built into your system or learning today is based on the free and open information shared by individuals/entities. If information on new attacks is not shared, how will these vectors be added to this body of knowledge? How will industry learn about unique attacks in their sectors? In short, you are stunting the growth of the ecosystem.
All these years, no high and mighty CxO has needed to disclose breaches. Incidents are hidden and not talked about, and losses are quietly covered. This is tantamount to abetment to a crime, and the banks/institutional officers are as much culpable as the criminal who has perpetrated the crime.
In such cases, RBI, SEBI, IBA, IDRBT and other agencies could be considered complicit in hiding crimes committed against these national institutions. The government must enact legislation to make data breach disclosure mandatory ASAP.
Enterprises must accept that a data breach is a crime, and a disaster like any other - not an internal issue. And there is no reason to be ashamed. No one seems to have suffered a reputation loss - whether it was Target or SONY or Axis or SBI. You can check their earnings and stock prices to be convinced. Reputation loss cannot be an excuse anymore and platitudes won't suffice.
Views expressed are the author's own.