Mumbai: The Bombay High Court on Friday granted ad-interim relief to HDFC Life Insurance Company Ltd., issuing a John Doe (unknown parties) order against an unidentified individual who threatened to leak confidential customer data. John Doe orders, often used in intellectual property cases, are issued against anonymous entities when the exact identity of the infringer is unknown.
Justice Riyaz Chagla passed the order after concluding that HDFC Life had established a strong prima facie case for relief. “Having considered the facts and the IT Rules, I find that the Plaintiff has made a strong prima facie case for ad-interim relief,” the Court observed.
HDFC Life, a leading insurance company with 6.6 crore customers and Rs 63,076 crore in premium collections for FY 2023-24, received emails from an anonymous sender claiming to possess sensitive customer data. The sender threatened to leak and sell the data unless negotiations were initiated.
The emails contained details such as policy numbers, names, addresses, mobile numbers, and receipt numbers. Suspecting a ransomware attack, HDFC Life revealed that the sender escalated their demands on November 20, seeking 1,800 Ethereum (Rs 54.50 crore) and directing the company to contact them via Telegram and WhatsApp.
The Court emphasised the potential harm of the data breach, including identity theft, financial fraud, and privacy violations. “Disclosure of the sensitive and confidential customer data can be highly damaging to both the Plaintiff and its customers.
The Plaintiff has pointed out that publication, sale, or misuse of the data can result in identity theft, financial fraud, privacy violations, and unauthorized transactions. The data can be misused for a variety of purposes, including impersonating the Plaintiff, which would also involve infringement of the Plaintiff’s registered trademark and passing off,” the Court stated. It noted that the damage could not be compensated monetarily, especially since the perpetrator’s identity was unknown.
The Court directed Meta Platforms, WhatsApp, and Telegram to remove accounts, content, and phone numbers linked to the threats and to submit compliance reports within 24 hours. It also ordered the Union of India and the Ministry of Electronics and Information Technology to ensure swift action by internet service providers to block related accounts. Additionally, the platforms were directed to disclose any information identifying the sender. The HC has kept the matter for hearing on December 17.
