ICICI Bank glitch gave access to other clients’ credit cards
Other clients’ credit cards started showing up on ICICI’s mobile banking app due to a technical glitch, forcing the bank to block 17,000 cards.
The bank’s technical oversight enabled users to see full card numbers, expiry dates, and CVV. They could also manage international transaction settings on other customers’ cards via the bank’s iMobile app. Complaints about the glitch first started popping up on the financial forum Technofino and Reddit.
“I have access to someone else’s Amazon Pay CC,” writes a user. “Although OTP restricts domestic transactions but I can do international transactions using the details from the iMobile app. The app even allows me to enable international transactions in case it has been disabled by the actual user.”
Some users on Reddit said that they were able to see up to 12 cards linked to their iMobile Pay app. In response to the reports, ICICI has blocked 17,000 credit cards, which, according to Indian newspaper The Hindu, constitute about 0.1 % of the bank’s credit card portfolio.
“As an immediate measure, we have blocked these cards and are issuing new ones to the customers. No instance of misuse of a card from this set has been reported to us. However, we assure that the bank will appropriately compensate a customer in case of any financial loss,” said the bank in a statement.
In a post on X, Sumanta Mandal, founder of TechnoFino, called the Reserve Bank of India (RBI) to review the security systems of the ICICI bank.
ICICI is valued at more than $76 billion, has more than 5,000 branches across India, and is present in at least another 15 countries worldwide. In 2022, the bank’s resources were named a “critical information infrastructure” by the Indian government — any harm to it can impact national security.
Despite its importance, the bank’s systems are far from being secure. In 2023, Cybernews research revealed that ICICI bank was leaking millions of records with sensitive data, including clients’ personal and financial data, know-your-customer (KYC) forms, credit card numbers, and personal identification documents. The bank denied the incident at the time.
The newest cybersecurity incident on ICICI came after RBI took action against another Indian bank, Kotak Mahindra Bank, prohibiting it from enrolling new customers via online and mobile banking platforms and from issuing additional credit cards. This decision stemmed from the RBI’s assessment of the bank’s IT operations in 2022 and 2023, which raised substantial concerns and the bank’s failures to address them.