Failure To Protect Sensitive Data Leads To Unauthorized Transactions; Adjudicating Officer Holds Axis Bank Liable

Syed Nazarat Fatima

29 Jan 2025 12:09 PM IST

  • Failure To  Protect Sensitive Data  Leads To Unauthorized Transactions; Adjudicating Officer Holds Axis Bank Liable

    The Adjudicating Officer at Mantralaya Mumbai under the Information Technology Act held Axis Bank Ltd. liable for negligence in a matter involving unauthorized transactions from the current account of Dhule Vikas Sahakari Bank Pvt Ltd maintained with the Axis Bank. It was observed that the failure to maintain reasonable security safeguards and implementing adequate measures...

    The Adjudicating Officer at Mantralaya Mumbai under the Information Technology Act held Axis Bank Ltd. liable for negligence in a matter involving unauthorized transactions from the current account of Dhule Vikas Sahakari Bank Pvt Ltd maintained with the Axis Bank. It was observed that the failure to maintain reasonable security safeguards and implementing adequate measures to protect customer sensitive data amounted to negligence.

    Brief Facts of the Case:

    The Complainant, Dhule Vikas Sahakari Bank Pvt Ltd maintained a current account with Axis Bank Ltd and used the platform for Cash Management Services (CMS) – RTGS and NEFT. An employee of the Complainant Bank noticed 27 transactions totalling Rs.2,06,50,165 on June 8, 2020. Although the Complainant's Banking Operations officially starts from 10:30 am, it was found that the transactions were made between 7:00 am to 10:00 am. The Complainant claimed that the OTPs required to complete the transactions were not received. Moreover, even batch numbers were not generated for the transactions. The Complainant claimed that generation of OTPs and batch numbers were necessary steps to complete the transactions. It was alleged that there was a serious lapse in the security measures executed by the Axis Bank. The Axis Bank's Pay-Pro system required a secure login including user credentials, OTPs and a maker-checker mechanism to complete the transactions. However, these steps were skipped without informing the Complainant. Claiming 26 RTGS transfers and one NEFT transaction from the Complainant's Current Account, it was alleged that Axis Bank had failed to follow or enforce the basic security protocols.

    The Complainant after finding out about the unauthorized transactions immediately reported the incident to Axis Bank and sought blocking of the account to avoid such issues in the future. Moreover, it was also reported to Police. On June 18, 2020, the Reserve Bank of India was also notified about the incident.

    Citing Section 43A of the Information Technology Act, the Complainant alleged that the Respondent had failed to implement reasonable security practices and had also permitted unauthorized access, violating Section 43g of the IT Act, 2000.

    Further alleging Respondent to be guilty under Section 85 of the IT Act, the Complainant sought compensation of Rs.1,76,06,381, along with an interest of 18% and Rs. 3,00,000 for litigation expenses.

    Findings of the Adjudicating Officer:

    The Adjudicating Officer referred to Section 43A of the Information Technology Act and held that Axis Bank had failed to implement and execute the standard security practices leading in the unauthorized transactions from the Complainant's current account. Moreover, even the FIR lodged by the Respondent as per which Axis Bank systems were hacked suggested a serious lapse in the protection offered by the Respondent in protecting sensitive customer data. It was observed that as per Section 43A, the Respondent was bound to handle sensitive personal data and Axis Bank had failed do so, leading in wrongful loss to the Complainant. It was thus observed that the Respondent was negligent in securing the Complainant's personal information.

    The Officer held that the Complainant's reputation was also harmed due to the absence of efficient real-time monitoring and fraud detection mechanisms. It was held that Axis Bank had not been vigilant, facilitating the unauthorized transactions. Moreover, highlighting the Bank's non-compliance with the statutory obligations, the Respondent was directed to pay the Complainant an amount of Rs. 1,76,06,381 along with compound interest of 18% along with Rs.3,00,000 as litigation expenses and Rs. 50,00,000 as compensation for mental agony, pain and undue harassment.

    Case Title: Dhule Vikas Sahakari Bank Pvt Ltd versus Axis Bank Ltd

    Counsel for Petitioner: Adv. Prashant Mali a/w Adv. Tejal Patel

    Counsel for the Respondent: Adv. Naveen Raheja a/w Mahesh Kumar, Adv Aditya C Ghuge on behalf of Department of Information Technology as law officer

    Click HereTo Download Order/Judgment

    Next Story