Cybercriminals hacked into the IT systems of two Indian companies that processed debit card payments in order to steal US$45 million from two Middle Eastern banks.
The thieves penetrated the corporate systems of Pune-based ElectraCard Systems and Bangalore-based EnStage, reported the Times of India last Sunday. Once in the systems, they raised the daily limits and balances on prepaid debit card accounts before making off with the money, it noted.
EnStage CEO Govind Setlur admitted the company's connection and told Times of India it had already patched up the weaknesses in its infrastructure. "Our customers were adversely affected by this sophisticated crime. We are deeply committed to information security, and we will continue to take all reasonable measures to ensure our networks are secured from criminal actors," Setlur said.
A separate Reuters report last Sunday said the Indian government's IT watchdog, the Indian Computer Emergency Response Team (CERT), was investigating the technicalities involved in breaching the payment processing companies' database.
"We are investigating the technical aspect," Gulshan Rai, director general of India's CERT, told Reuters. "What kind of breach has happened in the system, how did it happen, what processes are in place, and the entire technical aspect we will look at," he said, adding the agency started its investigation last Saturday.
Last week, the United States charged eight men it suspected to be part of a global group of cybercriminals who, in the space of a few hours, withdrew US$45 million in 40,500 transactions at ATMs (automated teller machines) in 27 countries. Seven were arrested while the eighth, Alberto Yusi Lajud-Pena, was reportedly murdered in April.
Loretta Lynch, the U.S. attorney for the eastern district of New York, told PBS NewsHour last week the hackers spent up to 18 months penetrating the systems of the Indian payment processing companies.
"It's not the bank. It's the middlemen, the people that process the cards. The money flows through them as someone uses a prepaid credit card. It's standard practice," said Lynch, describing it as a 21st century bank heist.
"These are patient cybercriminals. They essentially became secret security administrators hiding in plain sight," she added, while pointing out no individual accounts were compromised.