Yes Bank-BookMyForex forex card breach costs customers Rs 2.5 crore, hits 5,000 users

Following an alleged data breach in the Yes Bank-BookMyForex multi-currency forex card, Yes Bank said in a statement to ET that the bank flagged unusually high unauthorised transactions on its multi-currency prepaid forex cards on February 24. About Rs 2.5 crore worth of transactions were approved across roughly 5,000 customers, even as 688 attempts were blocked, preventing losses of around Rs 90 lakh.

The incident was detected after the lender’s fraud-monitoring systems recorded an unusual spike in transaction declined on specific bank identification numbers (BINs) tied to cards issued in partnership with BookMyForex. The unauthorised activity was traced to 15 merchants based in a Latin American country and occurred in the early hours of February 24, between 3.30am and 8.30am IST.

The statement said the country in question does not mandate two-factor authentication for e-commerce transactions, a gap that may have been exploited. As a precaution, Yes Bank has restricted e-commerce transactions originating from the affected country, they added.

An internal investigation found that while a portion of the fraudulent transactions were approved during the incident window, the bank’s controls halted hundreds of additional attempts. Yes Bank is now working with BookMyForex to raise chargebacks, aiming to ensure impacted customers are fully protected from financial loss.

Separately, BookMyForex said in a statement that the data breach did not happen from their servers. “BookMyForex is a technology-driven digital platform for forex services that connects customers with banks and RBI-licensed money changers to offer foreign currency products and services at competitive rates. We do not store customers’ sensitive card information, and our systems were not breached or compromised during the period in question,” the company said.