In an effort to neutralize the anxiety and fear among cardholders after the debit card breach, the National Payments Corporation of India (NPCI) has issued an explanation. A P Hota, MD & CEO of NPCI, the authority that controls all retail payments systems in India, said, \u201cThe complaints of fraudulent withdrawal are limited to cards of 19 banks and 641 customers.\u201d The breach The security breach came into light when customers complained of their cards being used in China and USA. While NPCI maintains that only 641 customers were directly hit, it also says that a total card base of about 3.2 million could have been possibly compromised. Customers were left in total confusion about what happened, and what to do about it.\u00a0 The breach is being audited by the Payment Card Industry Security Council and the banks have decided to wait and watch. Analysts point out the cracks in the system that should have been addressed. Suveer Khanna, partner, forensic, KPMG India, said, \u201cGone are the days where the intent of a cyber-attack is to disrupt business using Distributed Denial of Service (DOS) or by bringing down the website or a network.\u00a0 \u201cThanks to the Darknet, cyber criminals are a well networked nexus. The Darknet not only provides a market place all kinds of information, right from card data to business information, but also provides the cyber criminals a market place for procuring state of the art hacking tools, attack target related information and hackers for hire services to help in executing devastating cyber-attacks without being detected.\u201d Why are banks tight-lipped?\u00a0 Vivek Gautam, Research Manager, Software & Services, IDC India said that organizations shy away from reporting cyber-attacks as it can affect their brand image adversely. However, Khanna pointed out that banking sector is more open in reporting such incidents to regulators in order to avoid violations and regulatory penalties.\u00a0 Banks won\u2019t be able to keep security breaches under wraps anyomore. RBI has mandated that all cyber security related incidents must be immediately reported. \u00a0 Speaking about the RBI\u2019s mandate, Rajpreet Kaur, senior research analyst, Gartner said,\u201dThey are already late in bringing this up. There have been a few banks who were working towards a robust cyber security policy. But the whole financial network in India needs fraud detection and management which is lacking as well as the detection and remediation.\u201d Digital India dream \u2013 Cracks in foundation? Digital transformation is the road ahead for IT, especially the BFSI sector. India has plans of becoming a cashless economy by digitalising monetary transactions. At the same time, basic framework such as the physical and network security of Indian ATMs have been questioned by experts.\u00a0 \u201cGuidelines appointed by the RBI are not enough. The privacy and the security of the data on go, the data in-transit needs point-to -point encryption. I don\u2019t see our organisations adopting it," said Kaur. \u00a0Gautam concurred, \u201cAdvanced Persistent Threat (APTs) are designed in such a way that once infecting a local server or end-point, it can move laterally across the network without being detected and compromise the security posture of whole environment. Often internal security teams of Indian organizations lack skills and resources to identify such breaches.\u201d Respond now \u2013 there\u2019s no later\u00a0 \u201cThe cyber incident response program like a disaster recovery program should be designed, built and tested periodically for all eventualities known to impact business,\u201d added Kaur. \u00a0 There is a need to adopt a framework that requires organisations to assess and treat risk without guidance of a compliance checklist. \u00a0Like the NIST, the US central risk based security framework.\u00a0 \u201cWhile investing in best of breed security products may not guarantee that data breaches will not happen, finance industry needs to develop a culture of security intelligence sharing,\u201d said Gautam.