By Swati Pandey and Supantha Mukherjee
MUMBAI/BANGALORE, May 12 (Reuters) – The Indian government’s
cyber watchdog is investigating how security at two companies
that are part of the country’s vast IT services industry was
breached in a global ATM heist that saw $45 million stolen from
two banks in the Middle East.
EnStage Inc, which operates from Bangalore, and ElectraCard
Services, based in the Indian city of Pune, processed card
payments for the two banks that were hit in the theft, several
people familiar with the situation said.
“We are investigating the technical aspect,” Gulshan Rai,
director general of the Indian Computer Emergency Response Team
(CERT), part of the department of electronics and information
technology, told Reuters by phone on Sunday.
“What kind of breach has happened in the system, how did it
happen, what processes are in place, and the entire technical
aspect we will look at,” he said, adding that the agency had
started its investigation on Saturday.
U.S. prosecutors said on Thursday that hackers broke into
two card processing companies, raising the balances and
withdrawal limits on accounts that were then exploited in
coordinated ATM withdrawals around the world.
The prosecutors did not name the two companies but said one
was based in India and the other in the United States.
While details of what happened are still sketchy, experts
said the banks could bring claims against the processing
companies in court, or they could file claims with their
insurers and those of the processing companies.
According to a U.S. official and a bank employee, who both
spoke on condition of anonymity, ElectraCard Services was the
company that processed prepaid travel cards for National Bank of
Ras Al Khaimah PSC (RAKBANK). RAKBANK suffered a $5
million coordinated heist at ATMs around the world on Dec. 21
last year, according to the U.S. indictment.
In a statement on Sunday, ElectraCard, or ECS, said it had
been affected by “fraud attacks” in December. It said
investigations show that “PIN and Magnetic stripe data seem to
have been compromised outside the ECS processing environment.”
MasterCard bought a 12.5 percent stake in ElectraCard in
2010. MasterCard, the network under which the cards used
in the heist were issued, has said its security was not
compromised.
EnStage, which is incorporated in Cupertino, California, but
has operations based in Bangalore, is the company that processed
card payments for Bank of Muscat of Oman, according to
a source close to Bank of Muscat. Bank of Muscat lost $40
million in a coordinated heist on Feb. 19, according to
Thursday’s indictment.
“Our customers were adversely affected by this sophisticated
crime,” EnStage CEO Govind Setlur said in a statement in the
Times of India newspaper.
ADDITIONAL MONITORING
A statement obtained by Reuters from a company spokesman
said: “Since the time the incident occurred, EnStage has
retained independent security experts to analyse the intrusion
and to recommend enhancements to its information security
infrastructure. EnStage has implemented both these enhancements
as well as additional monitoring capabilities.”
Setlur was travelling and could not be reached for further
comment on Sunday.
An employee at the company’s office in central Bangalore who
did not want to be identified said that about 250 people work in
the office but did not give further details.
Bank of Muscat has not commented on the case.
Police in Pune and Bangalore did not immediately have
information on the matter when reached on Sunday.
The breach in security at Indian operators is a blow to the
country’s multi-billion dollar information technology industry,
which received about half of all outsourcing contracts in the
world in 2011, according to industry data.
India-based IT vendors, who rely on the trust of global
clients to handle sensitive data, are dominated by companies
providing support services to the global financial industry.
Eddie Schwartz, chief information security officer for RSA
Inc, a firm that helps banks fight payment card fraud, said that
it is not surprising that hackers would target banks that rely
on Indian firms to process transactions.
Schwartz, who is based in Washington, said there is not as
much government oversight in India as there is in the United
States and Western Europe.
“Hackers view India as a target. It’s got a fast-moving
economy, a fast-moving IT infrastructure,” Schwartz said.
Cyber security experts said the global scope and speed of
the $45 million bank theft was unprecedented. The global gang
had operatives in 27 countries who fanned out to thousands of
ATMs in a matter of hours, withdrawing money using fraudulent
prepaid debit cards, according to U.S. prosecutors.
The ringleaders of the global operation were believed to be
outside the United States, but U.S. prosecutors have declined to
give details, citing the continuing investigation. Germany is
the only other country so far to announce arrests.
ElectraCard is based in a plush office park near the airport
on the outskirts of Pune, a fast-growing city in western India
that is a hub for the IT and auto industries and is home to
several universities. A security guard at the office park, where
tenants include IBM, would not allow in a Reuters journalist
without an appointment on Sunday.
Unlisted ElectraCard had a net loss of 90.2 million rupees
($1.65 million) on net sales of 535.4 million rupees for the
fiscal year that ended in March 2012, a sales decline of 1.6
percent, according to a report by ratings agency Crisil.
