Pune-based ElectraCard Services (ECS) said on Sunday that a data breach in a series of ATM fraud attacks in December last year appears to have happened outside of its "processing environment".
Last week, US authorities had brought to light a $45-million global cyber heist involving ECS and another company, enStage Inc, which operates from Bangalore. The two firms had processed card payments for two West Asian banks that were hit in the theft, according to people familiar with the situation.
The prosecutors did not name the two companies then but said one was based in India and the other in the US.
According to a US official and a bank employee, ElectraCard Services processed prepaid travel cards for United Arab Emirates-based National Bank of Ras Al Khaimah (RAKBANK), which suffered a $5-million coordinated heist at ATMs around the world on December 21, 2012.
ECS said investigations show "the PIN and Magnetic stripe data seem to have been compromised outside the ECS processing environment".
It added in a statement: "As already reported in the media earlier this year, there were fraud attacks which affected several institutions worldwide, including ECS, in December 2012."
US prosecutors said on Thursday that hackers broke into two card processing companies, raising the balances and withdrawal limits on accounts that were then exploited in coordinated ATM withdrawals around the world.
Ramesh Mengawade, CEO of ECS and its parent company, Opus Software Solutions, could not be reached through his assistant or by email on Saturday. Calls to the mobile phone of another company official were not answered.
enStage, which is incorporated in Cupertino, California, is the company that processed card payments for Bank of Muscat, according to a source close to the bank.
Bank of Muscat lost $40 million in a coordinated heist on February 19, according to Thursday's indictment. Officials at enStage could not be reached, either in Bangalore or in Cupertino.
enStage's CEO Govind Setlur has been quoted as saying in a media report that the company has implemented security enhancements and monitoring since the theft. "Our customers were adversely affected by this sophisticated crime," Setlur was quoted as saying. "We are deeply committed to information security, and we will continue to take all reasonable measures to ensure our networks are secured from criminal actors."
More work for big processors?
Bank of Muscat has not commented on the case.
MasterCard, the network under which the cards used in the heist were issued, has said its security was not compromised. ECS said MasterCard bought a 12.5 percent stake in it in 2010.
Cyber security experts said the global scope and speed of the $45-million bank theft was unprecedented. The global gang had operatives in 27 countries who fanned out to thousands of ATMs in a matter of hours, withdrawing money using fraudulent prepaid debit cards, according to US prosecutors.
The US Justice Department gave details of the heist on Thursday in an indictment against eight men accused of being the New York cell of the organisation. The department said seven of the men have been arrested.
The ringleaders of the global operation were believed to be outside the US, but US prosecutors have declined to give details, citing the continuing investigation. Germany is the only other country so far to announce arrests.
Eddie Schwartz, chief information security officer for RSA Inc, a firm that helps banks fight payment card fraud, said that it is not surprising that hackers would target banks that rely on Indian firms to process transactions.
Schwartz, who is based in Washington, said there is not as much government oversight in India as there is in the US and Western Europe.
"Hackers view India as a target. It's got a fast-moving economy, a fast-moving IT infrastructure," said Schwartz.
Madeline Aufseeser, a senior analyst with Aite Group who follows payments processors, said she was relieved to learn that the case appeared to be limited to smaller processors.
"It looks like an isolated, very targeted incident," she said, noting that the major firms in the industry have highly sophisticated protocols to limit fraud damages.
The big players include First Data Corp, FIS, Galileo Mastercard Inc's Mastercard Integrated Processing Solutions, Tsys and Visa Inc's Visa Debit Processing Service.
Philip Philliou, managing partner of Philliou Partners LLC, a firm that helps banks and retailers select payment processors, predicted smaller processing firms will lose business as a result of this theft. Banks will decide they are not willing to assume the additional risk that comes with using smaller firms, he said.