The government's cyber watchdog is investigating how security at two
companies that are part of India's vast IT services industry was
breached in a global ATM heist that saw $45 million stolen from two
banks in the Middle East.
EnStage Inc, which operates from Bangalore,
and ElectraCard Services, based in Pune, processed card payments for the
two banks that were hit in the theft, several people familiar with the
(Also see: Indian companies at center of global cyber heist)
"We are investigating the technical aspect,"
Gulshan Rai, director general of the Indian Computer Emergency Response
Team (CERT), part of the department of electronics and information
technology, told Reuters by phone on Sunday.
"What kind of breach
has happened in the system, how did it happen, what processes are in
place, and the entire technical aspect we will look at," he said, adding
that the agency had started its investigation on Saturday.
prosecutors said on Thursday that hackers broke into two card processing
companies, raising the balances and withdrawal limits on accounts that
were then exploited in coordinated ATM withdrawals around the world.
The prosecutors did not name the two companies but said one was based in India and the other in the United States.
details of what happened are still sketchy, experts said the banks
could bring claims against the processing companies in court, or they
could file claims with their insurers and those of the processing
According to a U.S. official and a bank employee, who
both spoke on condition of anonymity, ElectraCard Services was the
company that processed prepaid travel cards for National Bank of Ras Al
Khaimah PSC (RAKBANK). RAKBANK suffered a $5 million coordinated heist
at ATMs around the world on December 21 last year, according to the U.S.
In a statement on Sunday, ElectraCard, or ECS, said
it had been affected by "fraud attacks" in December. It said
investigations show that "PIN and Magnetic stripe data seem to have been
compromised outside the ECS processing environment."
bought a 12.5 percent stake in ElectraCard in 2010. MasterCard, the
network under which the cards used in the heist were issued, has said
its security was not compromised.
EnStage, which is incorporated
in Cupertino, California, but has operations based in Bangalore, is the
company that processed card payments for Bank of Muscat of Oman,
according to a source close to Bank of Muscat. Bank of Muscat lost $40
million in a coordinated heist on February 19, according to Thursday's
"Our customers were adversely affected by this
sophisticated crime," EnStage CEO Govind Setlur said in a statement in
the Times of India newspaper.
statement obtained by Reuters from a company spokesman said: "Since the
time the incident occurred, EnStage has retained independent security
experts to analyse the intrusion and to recommend enhancements to its
information security infrastructure. EnStage has implemented both these
enhancements as well as additional monitoring capabilities."
Setlur was travelling and could not be reached for further comment on Sunday.
employee at the company's office in central Bangalore who did not want
to be identified said that about 250 people work in the office but did
not give further details.
Bank of Muscat has not commented on the case.
Police in Pune and Bangalore did not immediately have information on the matter when reached on Sunday.
breach in security at Indian operators is a blow to the country's
multi-billion dollar information technology industry, which received
about half of all outsourcing contracts in the world in 2011, according
to industry data.
India-based IT vendors, who rely on the trust of
global clients to handle sensitive data, are dominated by companies
providing support services to the global financial industry.
Schwartz, chief information security officer for RSA Inc, a firm that
helps banks fight payment card fraud, said that it is not surprising
that hackers would target banks that rely on Indian firms to process
Schwartz, who is based in Washington, said there is
not as much government oversight in India as there is in the United
States and Western Europe.
"Hackers view India as a target. It's got a fast-moving economy, a fast-moving IT infrastructure," Schwartz said.
security experts said the global scope and speed of the $45 million
bank theft was unprecedented. The global gang had operatives in 27
countries who fanned out to thousands of ATMs in a matter of hours,
withdrawing money using fraudulent prepaid debit cards, according to
The ringleaders of the global operation were
believed to be outside the United States, but U.S. prosecutors have
declined to give details, citing the continuing investigation. Germany
is the only other country so far to announce arrests.
is based in a plush office park near the airport on the outskirts of
Pune, a fast-growing city in Maharashtra that is a hub for the IT and
auto industries and is home to several universities. A security guard at
the office park, where tenants include IBM, would not allow in a
Reuters journalist without an appointment on Sunday.
ElectraCard had a net loss of 90.2 million rupees on net sales of 535.4
million rupees for the fiscal year that ended in March 2012, a sales
decline of 1.6 percent, according to a report by ratings agency Crisil.
© Thomson Reuters 2013