PUNE, India -- An Indian payment card processing company acknowledged on Monday that hackers breached its security to increase the limits on some prepaid card accounts in a $45 million global ATM heist in December.
ElectraCard Services said no customer data was stolen from it and any tampering of ATM cards occurred elsewhere.
"To withdraw money from a prepaid card, one needs an ATM card that has a magnetic strip, which has encoded data. You also need a PIN. The forensic report says that this data and PIN was not compromised at the ElectraCard data center," said Ramesh Mengawade, chief executive of ElectraCard Services.
"However, in three or four accounts, there was a breach, where the limit of cash that can be withdrawn from a prepaid card was increased," he said in an interview at his office in the western Indian city of Pune.
U.S. prosecutors said on Thursday that hackers broke into two unnamed card processing companies, raising the balances and withdrawal limits on accounts that were then exploited in coordinated ATM withdrawals around the world that stole a combined $45 million from two Middle Eastern banks.
ElectraCard Services was the company that processed prepaid travel cards for National Bank of Ras Al Khaimah, according to a U.S. official and a bank employee who both spoke on condition of anonymity. RakBank suffered a $5 million coordinated heist at ATMs around the world on Dec. 21 last year, the U.S. indictment said.
"What happened in December was an industrywide attack," Mengawade said in his first interview since the case came to light last week. "There were pranks in India; there were pranks in the U.S., in Europe and at processors as well." The company said the attack was external and no one inside the company was involved, and that it became aware of it within an hour and immediately notified clients and the police.
Another processing company, EnStage, which is incorporated in Cupertino, Calif., but has operations based in Bangalore, handled card payments for Bank of Muscat of Oman, sources have said. Bank of Muscat lost $40 million in a coordinated heist on Feb. 19.
"Our customers were adversely affected by this sophisticated crime," EnStage chief executive Govind Setlur said in a statement in the Times of India newspaper on Sunday.
ElectraCard was not associated with the February incident.
ElectraCard hired U.S.-based Verizon Communications to investigate what happened in the December heist.
Verizon is one of the largest companies that certify that companies are in compliance with payment card industry standards set by Visa and MasterCard. It is also one of the biggest providers of incident response services to companies that are victims of cyber attacks.