If you have a debit card and if you are in India, it is very likely that you have received a message from your bank telling you to change the PIN of your ATM card. While sending this message is a standard practice that all banks do from time to time, however, this time it is something more serious than just a word of caution. Reports say that around 3.2 million (32 lakhs) debit cards belonging to major banks have been compromised in India.

Initial reports suggest that this could be the biggest financial breach ever reported in India with State Bank of India, Axis Bank, HDFC, Yes Bank, and ICICI as the worst hit banks. It sure is worrisome considering almost everyone has a debit card these days and 32 lakh is a big number. So is your card also affected by the breach? If yes, what should be your next step, we explain everything.

How Serious Is This?

According to the report, around 26 lakh of these cards are on Visa and Mastercard platform, while over 6 lakh are on the Rupay platform.

SBI has confirmed that it has blocked over 6 lakh debit cards in India after card network companies like NCPI, MasterCard and Visa informed the affected banks about a possible data breach. SBI also commented that the breach did not involve its own ATM machines and networks.

"We'd like to emphasise that SBI's systems have absolutely not been compromised and existing card holders are not at any risk and can continue to use their cards. SBI is in the process of issuing new cards at no cost to those card holders whose cards have been blocked. This is a cards industry incident (not only SBI)," a SBI spokesperson said.

The Reserve Bank of India has also received complaints from the affected banks. According to The Hindu, the RBI has asked the banks to replace 17.5 lakh debit cards.

Customers have been receiving cautionary messages from their respective banks asking them to change the ATM PIN. Axis Banks resorted to blocking the ATMs till the PIN was changed from the bank's ATM. Yes Bank also limited the cash withdrawal to maximum Rs 5,000 per day till the PIN was changed.

HDFC has also notified its users to change the PIN weeks before the reports of breach went public. The bank has also told its customers to not to use HDFC debit card in some other bank's ATM machine.

"Besides advising those customers who we know have used a non-HDFC Bank ATM in the recent past to change (their) ATM PIN, we are advising our customers to use only HDFC Bank ATMs as we believe security controls at some of the other bank ATMs may not be at par with HDFC Bank ATMs," a spokesperson told ET.

How Did It Happen?

The card network companies, Visa, MasterCard and Rupay, have received complaints from banks about unauthorised card usage from locations in China.

According to reports, the breach could have generated in Hitachi Payment Services. Hitachi is one of the largest providers for Point of Sale services, ATM machines and mobile transactions in India. A malware in the Hitachi system could have compromised user data.

It is suggested that the malware was active for about six weeks before getting detected. While the banks haven't shared more information on the type or extent of the attack, the Payments Council of India has ordered a forensic audit on Indian bank servers and systems to find the origin of breach.

SBI and other banks have denied any breach in their systems, however, the possibility of system-wide breach at this early stage cannot be denied. We will (possibly) have more information in this regard in the coming days.