Delhi High Court Passes John Doe Order Against Extortion Threat Of Leaking Insurance Company's Confidential Customer Data

The Court further directed removing a rogue website NivaBupaLeaks.com, which contained the insurance company's confidential data.

Niva Bupa Health Insurance Company Ltd. (plaintiff) submitted that on 20 February, its officials received an email from defendant no. 15–an anonymous and unnamed person impleaded as John Doe, stating that the sender had taken all of Niva Bupa India's customers and insurance claims sensitive data. The email contained details of a website, NivaBupaLeaks.com, where confidential data of the company had been uploaded. It stated that the issue could be resolved if the company paid a satisfactory price.

Niva stated that its MD & CEO received an email as well, where the unknown defendant shared insurance claim documents of Niva's customers. Another email was sent to its officials, where the defendant threatened to cause permanent damages and said that the mess could solved if the company made a deal with the defendant.

Considering the plaintiff's submissions Justice Mini Pushkarna in her order said, "In view of the above circumstances, the plaintiff has demonstrated a prima facie case for grant of injunction and in case no ex-parte ad-interim injunction is granted, the plaintiff will suffer an irreparable loss. Further, the balance of convenience also lies in favour of the plaintiff and against the defendants". 

Niva had further submitted that the unknown defendant sought to unlawfully acquire its confidential information for the purpose of misusing it. It also submitted that the defendant's creation of a website using its trademarks Bupa and Niva Bupa indicates that the unknown defendant is also highly likely to impersonate it and use the confidential information accessed by it to cheat its customers.

Niva stated that the unauthorized access and dissemination of confidential information can lead to severe consequences, including, identity theft, financial fraud, privacy violations and phishing attacks.

It stated that the misuse of data poses a significant risk to its brand and reputation, customer trust and regulatory obligations. It submitted that the unauthorized dissemination of its data will undermine its competitive position in the insurance market.

It placed reliance on Niva Bupa Health Insurance Company Ltd. vs. Telegram Fz-Llc & Ors (2024 LiveLaw (Del) 1342), where the Delhi High Court issued a temporary injunction in favour of Niva Bupa and restrained unknown defendants from publishing, distributing or disclosing its customers' personal data in a similar ransomware extortion threat. The Court had directed social media intermediaries including Telegram to remove access to the unknown defendant's accounts and domain names, which are used to transmit the customers' confidential data.

After considering the case, the court restrained the unknown defendant from using, copying, publishing, distributing, transmitting, communicating or disclosing Niva's confidential information by any medium or on any platform. It further restrained the unknown defendant from publishing, uploading or circulating any content depicting the use of any trademark that is identical or deceptively similar to Niva's trademarks.

The Court further directed the removal of the rogue website NivaBupaLeaks.com and to block the email ids associated with the unknown defendant. It asked the domain registrar to not register the rogue websites or any other name identical to Niva's brand name as part of any domain name in future.

Case title: Niva Bupa Health Insurance Company Ltd. vs. Nicenic International Group Company Limited & Ors. 

Citation: 2025 LiveLaw (Del) 264