‘Data breach’ at PNB! 10,000 credit and debit cards details affected: Report

After Rs 11,400 crore fraudulent transactions, data breach of about 10,000 clients at state-owned Punjab National Bank (PNB) has raised many questions over the bank. When a CloudSek Information Security deducted data breach of as many as 10,000 credit and debit card customers, it was another blow to the state-owned bank. 

CloudSek, a company registered in Singapore but mainly operates in Bengaluru, revealed that PNB was not aware of the cybercrime.

Rahul Sasi, Chief technical officer at CloudSek, explained that on February 20, they identified a listing that claimed to have multiple cards which belonged to PNB were put up for sale on a DarkWeb site.

Sasi said, “We immediately tried reaching out to PNB using the cybercrime contact emails that were listed on their website. But that email bounced.”

By February 21, evening at around 2010 hours, CloudSek was able to reach PNB officials via third party source. And when the knowledge of the data breach reached PNB, it immediately responded to CloudSek.

“The PNB officials were quick to respond as we got a call back the same day 10.00 PM from PNB security officials. We provided them a detailed report about the leaked data,” said Sasi.

Later on February 22 by afternoon 1310 hours, CloudSek provided PNB with more detailed report, and the officials ensured swift action.

The revelation turned out to be another blow to the PNB, which is already choked with a Rs 11,400 crore fraud allegedly commited by its officials, and two renowned jewellers, Nirav Modi and Gitanjali Gems owner Mehul Choksi.

The overall fraud amount came into limelight on February 14, and since then there has been no mercy on PNB stocks, as they have tumbled by nearly 30%.

The discovery of fraudulent transactions also highlight the weak operational controls and corporate governance at the bank.

The shock of PNB fraud was so heavy that major rating agencies have either downgraded or backed out in providing any review on the bank.

Fitch Rating in a statement said, “PNB’s Viability Rating of ’bb’ has been put on Rating Watch Negative, following the large fraud reported by PNB.”

“At this stage, Fitch does not view this event to have an impact on PNB’s Support Rating Floor (BBB-) due to the bank’s high systemic importance as the second-largest state-owned bank,” the agency added.

Moody’s Investor Services, however, placed the bank's Baseline Credit Assessment (BCA) and adjusted BCA of ba3 and the Counterparty Risk Assessment (CRA) of Baa3(cr)/P-3(cr) under review for downgrade.

Moody's expects that PNB will need to provide for at least a substantial portion of the exposure. As a result, the bank's profitability is likely to come under pressure, although the actual impact will depend on the timing and quantum of provisions that need to be made, as well as any prospects for recovery.

ICICI Securities in its report says, “We are suspending our rating on the stock until actual liabilities are crystallised. Despite a steep correction in the stock price recently, we advise investors to avoid the stock as uncertainty prevails in the near term and future business growth may also be impacted.”

Meanwhile, the data breach has stirred tension not only for the bank but also for the government, considering PNB's position as one among the largest lenders and operators in financial institution.

Currently, PNB digital services to more than 10 crore customers. As of September 2017, the bank’s transaction at ATMs crossed Rs 13 crore.

Investors after the revelation of data breach on Friday made an heavy selling, so much so that the bank tumbled by another 2% touching the day’s low of Rs 112.35 per piece on the BSE, compared to previous day prices.

Although CloudSek said they have no  method to ensure if a listed data is authentic or not, it has no impact.

Sasi said, “We do not put any effort to validate that data. It is the responsibility of the bank to validate and take necessary actions. Many a time, CC sellers try to dupe their customers by sandwiching few valid CC data between hundreds of fake data.”

According to CloudSek, Dark Web is an unexplored portion of the internet which are not generally found on google searches. They hosts many underground services such as Hacking as a Service, insider information for sale, sensitive account information like bank credentials and much more.

What happens in this episode is that services in DarkNet Markets are similar to those provided in Amazon and Flipkart on the surface web; except they sell illegal product or services.

Also, unlike Flipkart and Amazon, anyone using DarkNet can claim, advertisements and that need not be true, says CloudSek.

"Across the world, there are many dark web portals that sell CC information, but it is not necessary that every site is genuine. Some site make invalid claims or sell fake data," it said.

"Now whether the PNB data breach is authentic or not, we will eventually come to know in days to come. However, such developments calls for a cause of concern and precautionary measures what a bank and customers can take on their part to keep their digital card security safe," CloudSek added.

When asked about whether other banks have also been affected, CloudSek denied saying, “Even though the Dark website claimed to have other bank data, that information is outdated and the cards listed were already blocked by all other banks.”

It may be noted that the Reserve Bank of India has already released a list of guidelines for customers and banks to follow to maintain safe electronic banking transaction.
 
The guidelines are:
 
Banks must ask their customers to mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions. SMS alerts shall mandatorily be sent to the customers wherever registered.
 
SMS/email alerts also must have a "Reply" option for customer response so that they can easily notify banks  when an authorized transaction has taken place.
 
A direct link for lodging the complaints, with specific option to report unauthorized electronic transactions shall be provided by banks on home page of their website.
 
The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.
 
A person is entitled to zero liability shall arise where the  unauthorized  transaction  occurs in events like contributory fraud/ negligence/ deficiency on the part of the bank and third party breach - where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system.
 
In case of zero liability, the customer must notify the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.
 
However, a customer will be liable for loss occurring on unauthorized transaction is when due to negligence by a customer, such as where he has shared the payment credentials.
 
In such a situation, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.
 
In case of debit card/bank account, the customer does not suffer loss of interest, and in case of credit card, the customer does not bear any additional burden of interest.
 
If a fraud is reported between four to seven working days, then the customers per transaction liability will be from Rs 5,000 - Rs 25,0000  depending on the type of accounts and credit card limit.
 
A complaint must be resolved in the above scenario with in the specified time but should not exceed 90 days from the date of receipt of the complaint otherwise the customer will be compensated as per provisions mentioned.