Hitachi is aware that malware was injected onto their systems between May 21, 2016, and July 11, 2016, but the company has no idea how much damage was actually done, as the bug was able to "work undetected and had concealed its tracks during the compromise period."
“SISA’s report pointed to a sophisticated injection of malware in the Hitachi Payment Services’ systems, which was able to compromise the details of these debit cards,” Hitachi said in a statement. “While the behaviour of the malware and the penetration into the network has been deciphered, the amount of data exfiltrated is unascertainable due to secure deletion by the malware.”
“As soon as the breach was discovered, we informed the RBI, NPCI, banks and card schemes. The extent of the compromise was limited and we have not seen any further misuse,” Loney Antony, managing director of Hitachi Payment Service, told Business Standard.
Customers who had money stolen were refunded by banks, but the Reserve Bank of India found that the banks were not at fault over the breach, instead advising that service providers be held liable for the missing money. Sources from the central bank told the Business Standard that, as Hitachi has admitted responsibility, they will now be responsible for the funds.
To prevent further malware attacks, banks have blocked international payments, reduced withdrawal limits, and began monitoring unusual spending patterns and other behavior by customers. Hitachi has also reportedly updated their infrastructure.
