Yes Bank under RBI lens after data leak on BookMyForex card

The Reserve Bank of India has summoned senior officials of Yes Bank following a data breach involving the Yes Bank–BookMyForex multi-currency prepaid forex card, according to a report by The Economic Times.

Card details and CVV numbers of several users were allegedly compromised, prompting the regulator to seek a detailed explanation on how the bank’s systems may have been breached and how sensitive customer data was exposed.

“The RBI has sought a comprehensive briefing from Yes Bank’s senior management on the root cause of the breach, the timeline of events, and the adequacy of the bank’s cybersecurity framework," one of the persons cited by ET said. “The regulator wants clarity on how sensitive card data, including CVV numbers, may have been exposed and what immediate containment measures have been implemented."

What Yes Bank has disclosed

In response to this, Yes Bank has issued a statement stating that it is taking stringent measures to safeguard the impacted Multi-Currency Prepaid Forex Card.

The bank said its Multi-Currency Prepaid Forex Card, issued in partnership with BookMyForex, observed an unusual increase in transaction declines by its fraud monitoring system. The unauthorised transactions were attempted on specific BIN numbers.

According to the release, the fraudulent transactions were carried out on 15 merchants based in a Latin American country between 3:30 AM and 8:30 AM (IST) on February 24, 2026. The country in question does not mandate two-factor authentication for e-commerce transactions.

As a precaution, the bank said it has restricted e-commerce transactions from a specific Latin American country.

The internal investigation revealed that transactions approximately equivalent to USD 0.28 million were approved across 5,000 customers during the incident period. The bank’s monitoring systems declined 688 unauthorised transaction attempts, safeguarding approximately USD 0.1 million.

Yes Bank said it is working with the card network to initiate chargebacks to ensure affected customers do not face financial losses. It added that it remains committed to the highest standards of data security and customer protection and is closely monitoring the situation.

Separately, BookMyForex said it does not store customers’ sensitive card information and that its systems were neither breached nor compromised during the period in question.

What the RBI is reviewing

Beyond the immediate fraud, the RBI has sought details on how sensitive card data, particularly CVVs, was stored and protected, whether encryption and prescribed security protocols were followed, and why existing cyber controls failed to prevent the breach, according to the ET report.

The regulator is reviewing the timeline of detection and reporting, third-party risk management and oversight, the number of customers impacted, and the steps taken to block cards, prevent misuse and mitigate losses.