MUMBAI: The Reserve Bank has summoned the senior management of Yes Bank after the lender admitted last evening that a major data breach linked to the Yes Bank-Bookmyforex multi-currency forex card has taken place involving a few Latin American entities.
Yes Bank said transactions worth about Rs 2.54 crore or $0.28 million were approved across 5,000 customers, while 688 unauthorised attempts amounting to nearly Rs 90 lakh were blocked. It further said it is coordinating with the card network to process chargebacks and ensure customers do not incur financial losses.
The new fraud comes to light even as smaller private sector peer IDFC First Bank had this Sunday admitted to a much larger fraud involving its own employees and some Haryana government employees who siphoned off as much as Rs 583 crore in government deposits. Police have nabbed four of the key suspects and the bank has already paid the entire money back to the Haryana finance department from whose account it was stolen.
According to sources in the know of the development, the banking regulations department of the central bank has asked senior Yes Bank officials to make a presentation and share the details of the fraud. They have also been asked to provide a detailed account of how its systems may have been breached and the chain of events that resulted in the exposure of sensitive customer data.
The regulator also wants the bank to outline the root cause of the compromise, the timeline of the breach and the strength of its cybersecurity architecture.
The breach involves stealing card information, including CVV numbers of several customers.
When contacted, a Yes Bank spokesman did not comment on the RBI summons but said the bank has informed the exchanges that it has set up an internal investigation after a fraud involving 15 merchants in a Latin American country on February 24.
Though Yes Bank did not name the country, it is widely believed that it is Brazil.
In an exchange filing late last night, Yes Bank said, “We wish to clarify that our multi-currency prepaid forex card, issued in partnership with Bookmyforex, observed an unusual increase in transaction decline by the bank’s fraud monitoring system. These unauthorised transactions were attempted on specific BIN numbers only. These fraudulent transactions were carried out on 15 merchants that are based out a Latin American country, in the early hours on February 24, 2026, between 3:30 am and 8:30 am IST.
“The specific country does not mandate two factor authentication for e-commerce transactions. As a security measure, the bank has subsequently restricted e-commerce transactions from that country.
“An internal investigation by the bank has revealed that during the period of the incident, transactions around $0.28 million or around Rs 2.5 crore have been approved on behalf of 5000 customers. Due to our monitoring and control mechanisms, 688 unauthorized transaction attempts were declined, which led to safeguarding of around $0.1 million,” the lender said.
The bank is working with the card networks to raise chargebacks to ensure that the impacted customers do not face any financial loss, it added.
A Bookmyforex official said the company does not retain customers' sensitive card details and maintained that its systems were neither breached nor compromised during the period under review.