GOVERNMENT OF INDIA

MINISTRY OF FINANCE

DEPARTMENT OF FINANCIAL SERVICES

RAJYA SABHA

UNSTARRED QUESTION NO. 727

TO BE ANSWERED ON THE 22nd November, 2016/ Agrahayana 1, 1938 (SAKA)

Cyber attack on ATM system of public and private banks

QUESTION

  1. SHRI SANJAY RAUT:

SHRI DHARMAPURI SRINIVAS:

SHRI RAJEEV CHANDRASEKHAR:

Will the Minister of FINANCE be pleased to state:

  • Whether it is a fact more than 3.2 million debit cards of major public and private banks have been compromised by a cyber malware attack in ATM system and the National Payments Corporation of India;
  • If so, the details thereof and the estimated loss; and Government’s reaction thereto;
  • Whether it is also a fact that debit cards were fraudulently used in China and USA;
  • Whether Centre’s cyber security arm has issued a warning to all banks cautioning them that cyber criminals from Pakistan may target their information infrastructure, the details thereof; and
  • If so, details of steps taken/proposed to be taken by Government and its preparedness to deal with such cyber crimes?

ANSWER

The Minister of State in the Ministry of Finance

(SHRI SANTOSH KUMAR GANGWAR)

(a)to (e): Reserve Bank of India (RBI) has informed that an incident of data breach with respect to cards was reported and the matter is under investigation. Independent investigation by a forensic auditor approved under Payment Card Industry Data Security Standard (PCI-DSS) framework is under process.

RBI has set up a Cyber Security and IT Examination (CSITE) Cell within its Department of Banking Supervision in 2015. The Bank issued a comprehensive circular on Cyber Security Framework in Banks on June2, 2016 covering best practices pertaining to various aspect of cyber security. The circular requires banks to have among other things, a cyber-security policy, cyber crisis management plan, a gap assessment vis-à-vis the baseline requirements indicates in the circular, monitoring certain risk indicators in this area, report unusual cyber security incidents within 2 to 6 hours.

RBI has been carrying out IT Examination of banks from last year. RBI has also set up a Cyber Crisis Management Group to address any major incidents reported including suggesting ways to respond and recover to/from the incidents. Department of Banking Supervision also conducts cyber security preparedness testing among banks on the basis of hypothetical scenarios with the help of CERT-In. RBI has also set up an IT Subsidiary, which would focus, among other things, on cyber security within RBI as well as in regulated entities.

******