Bombay High Court Passes John Doe Order Against Threat Of Leaking HDFC Life's Customer Data
In a ransomware extortion threat against HDFC Life that sought to leak its customers' confidential information, the Bombay High Court has issued a temporary injunction against unknown defendants from publishing, distributing or disclosing the personal data of HDFC's customers.
The Court also directed social media intermediaries including WhatsApp and Telegram to remove access to the unknown defendant's accounts and domain names, which are used to transmit the customers' confidential data.
The insurance company HDFC Life collects and stores personal data of its customers as a part of its business processes and statutory and regulatory obligations. HDFC retains information including name, identity and address, policy copy, Unique Identification Number and other personal details of customers.
On November 19, 2024, HDFC received an anonymous email from an unknown person (defendant no. 6). The emails stated that the defendant had acquired a large amount of HDFC's customer data. The emails contained samples of data and the unknown defendant threatened to leak and sell the data if HDFC did not negotiate.
On November 20, 2024, the unknown defendant sent another email, asking HDFC to contact them through Telegram and also sent messages on WhatsApp. The emails and messages contained sample details of about 101 policies.
The unknown defendant demanded payment in 1800 Ethereum virtual coins, a form of cryptocurrency, which is equivalent to Rs. 54.50 crore.
HDFC submitted its customers provide such information on a highly confidential basis and that it uses the data solely for meeting regulatory obligations and providing services to the customers.
It stated that the unknown defendant breached its elaborate security measures and orchestrated a ransomware attack to extort money from it.
HDFC also apprehended that the unknown defendant would likely use the data to impersonate it by infringing its trademark and passing off. It relied on National Stock Exchange of India Ltd. vs. Meta Platforms, Inc. & Ors. (2024), where the Bombay High Court granted ad-interim relief to the National Stock Exchange of India, against infringing and passing off NSE's trademark in false and misleading advertisements on social media by unknown defendants. The Court had invoked the obligations of social media intermediaries the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules).
Considering the facts and circumstances of the case, Justice R.I. Chagla opined that HDFC made out a strong prima facie case for the grant of ad-interim relief.
It noted that leaking sensitive and confidential customer data could be damaging to HDFC and its customers.
“Having considered the facts set out in the Plaint and the provisions of the IT Rules, I am of the view that the Plaintiff has made out a strong prima facie case for grant of ad-interim relief. Disclosure of the sensitive and confidential customer data can be highly damaging to both the Plaintiff and its customers. The Plaintiff has pointed out that publication, sale or misuse of the data can result in identity theft, financial fraud, privacy violations and unauthorized transactions.”
The Court further observed that the customer data could be misused for many purposes including impersonating HDFC. This would also involve infringement of HDFC's trademark, it noted. The Court remarked, “Such damage cannot not be compensated in terms of money especially since Defendant No. 6 is an unknown entity.”
The Court noted that the balance of convenience lies in favour of HDFC and irreparable loss will be caused to it if the ad-interim relief is not granted.
The Court thus restrained the unknown defendant from using, copying, publishing, distributing, communicating or disclosing to any person the customer information.
The Court also directed the social media intermediaries Meta, WhatsApp and Telegram to remove, delete, block and disable accounts, content, domain names, phone numbers and email addresses associated with the unknown defendant.
It further directed them to disclose the available information of the unknown defendant including name, addresses, contact details, organization and associations and IP addresses.
Case title: HDFC Life Insurance Company Ltd. vs. Meta Platforms Inc. & Ors. (INTERIM APPLICATION (L) NO.35886 OF 2024 IN COM IPR SUIT (L) NO.35837 OF 2024)
Click Here To Read/Download Order