Axis Bank Asked To Reimburse Rs1.76 Crore Lost in Cyberfraud with Rs53 Lakh Compensation, Legal Charges
Moneylife Digital Team 24 January 2025
In a historic order on accountability, the adjudicating authority (AA), under the Information Technology (IT) Act, held Axis Bank responsible for failing to ensure reasonable security practices and procedures which directly contributed to unauthorised transactions from a customer's account. The AA directed Axis Bank to reimburse the actual loss of Rs1.76 crore with 18% interest and pay Rs53 lakh as compensation and legal costs to the customer.
 
In an order on Tuesday, Parrag Jaiin Nainutia, principal secretary of the department of information technology for Maharashtra (adjudicating authority under the IT Act), says, "...in my considered view, Axis Bank's failure to ensure reasonable security practices and procedures, as mandated under Section 43A of the IT Act directly contributed to the unauthorised transactions. The hacking of its systems, as admitted in the first information report (FIR), indicates a lapse in implementing adequate measures to protect sensitive customer data. Section 43A imposes liability on entities that handle sensitive personal data and fail to maintain reasonable security safeguards, resulting in wrongful loss or damage. In this case, Axis Bank's negligence in securing its systems led to the compromise of the complainant's confidential information and subsequent fraudulent transactions."
 
"Additionally, the absence of robust real-time monitoring and fraud detection mechanisms underscores Axis Bank's failure to comply with the prescribed standards for data protection and security under the IT Act and Reserve Bank of India (RBI) guidelines. This lack of vigilance not only facilitated the unauthorised transactions but also caused immense financial and reputational harm to the complainant, highlighting the bank's non-compliance with statutory obligations," the AA says in the order.
 
Under the Act, the state IT secretary is the adjudicating authority who can adjudicate cyber fraud matters in which the claim for damage does not exceed Rs5 crore. The AA has the powers of a civil court.
 
Dhule Vikas Sahakari Bank Ltd, represented by advocate Dr Prashant Mali, had filed a case against Axis Bank to recover money lost in unauthorised transactions. Dhule Vikas Sahakari Bank has a current account and uses Axis Bank's platform of cash management services (CMS), and national electronic funds transfer (NEFT) and real-time gross settlement system (RTGS) transactions.
 
On 8 June 2020, an employee of Dhule Vikas Sahakari Bank logged into the lender's Axis Bank account and discovered 26 unauthorised transactions valued at Rs2.06 crore. This was in addition to a single NEFT transaction on 7 June 2020  These transactions occurred between 7am and 10am, before Dhule Vikas Sahakari Bank's working hours. 
 
Dhule Vikas Sahakari Bank asserted that neither the maker nor the checker (two different persons using separate mobile numbers) received the mandatory one-time passcode (OTP) required to complete these transactions. 
 
"Additionally, no batch numbers were generated for the transactions, which is a critical step in their internal processes. The lack of OTPs and batch numbers suggests a significant lapse in the security measures implemented by Axis Bank," says advocate Dr Mali, representing Dhule Vikas Sahakari Bank.
 
He further submitted that Rs30.43 lakh was frozen out of the Rs2.06 crore fraudulent transactions, and hence, he sought actual reimbursement of Rs1.76 crore from Axis Bank.
 
Officials from Dhule Vikas Sahakari Bank immediately reported the issue to Axis Bank, which, on 10 June 2020, filed a first information report (FIR) at Dhule city police station for investigation. On 18 June 2020, Dhule Vikas Sahakari Bank also filed a formal complaint with the police station, sharing details of the fraudulent transactions.
 
During the hearing before the AA, advocate Dr Mali highlighted that the know-your-customer (KYC) details of the beneficiary accounts (where the money was fraudulently transferred from Dhule Vikas Sahakari Bank's account), including those held at ICICI Bank and HDFC Bank, should have been verified to prevent unauthorised withdrawals. "Axis Bank's failure to adhere to RBI guidelines on KYC and anti-money laundering practices facilitated the fraudulent transactions."
 
Advocate Naveen Raheja, representing Axis Bank, contended that 'Any Desk' software was installed for remote access at Dhule Vikas Sahakari Bank (DVSB). "As per the SAP report from DVSB, the hacking was done in DVSB's servers. There were host-to-host mode (H2H) transactions wherein OTP generation was not required." 
 
With the help of an investigation report by the KPMG cyber forensic team, Axis Bank stated, "While analysing the remote access connection, it was observed that five successful remote desktop logons were made on 6 June 2020 from different IP addresses."
 
However, the AA observed that KPMG did not perform the audit. In its report, the audit firm submitted that "KPMG has not performed an audit and does not express an opinion or any other form of assurance. Further, comments in our report are not intended, nor should they be interpreted to be legal advice or opinion."
 
Mr Nainutia, the principal secretary of IT, also noted that "the transaction conducted on 7 June 2020 occurred on a Sunday, which was a bank holiday, directly contradicting the statements made by Axis Bank."
 
Holding Axis Bank responsible for the unauthorised transactions, the AA directed the lender to reimburse the actual loss of Rs1.76 crore with 18% interest and pay compensation of Rs50 lakh and Rs3 lakh as legal charges to Dhule Vikas Sahakari Bank. 
 
(Complaint Case File No.3 of 2019   Date: 21 January 2025)
Comments
sunielramchandani
3 weeks ago
Whether AA as mentioned in this can be accessed by any victim or any criteria for that?
hiring.rabrimrozgarindia
4 weeks ago
My Axis Bank card was used for international transactions of Rs 4200 last year. It was without OTP. I had this card for more then 2 years and used it only once at a filling station. Still my card data was leaked. I raised complaints with cyber cell and bank and got my money back. But axis Bank cyber security is seriously questionable
Pen Cooperative Urban Bank Fraud: ED Restitutes Properties Worth Rs289.54 Crore to MPID Authority
Moneylife Digital Team 20 January 2025
The Mumbai office of the directorate of enforcement (ED) has restituted immovable properties worth Rs289.54 crore to the competent authority appointed under the Maharashtra Protection of Interest of Depositors (MPID) Act by the...
Fraud Alert: How They Killed PlugX Malware!
Yogesh Sapkale, 17 January 2025
While dealing with any sudden incident, almost all government authorities in India come up with knee-jerk reactions. Most of the time, their response is not just vague but provides no solution to the incident or issue. Take, for...
48% of Online Shoppers Got Stuck with a Wrong Product: LocalCircles
Moneylife Digital Team 16 January 2025
Due to return and refund policies of platforms, as many as 48% of online shoppers got stuck with a wrong product, while 20% of online shoppers surveyed received a fake or counterfeit product at least once in the past 12 months,...
Housing Society Problems and Solutions: Member Rights, Tenant Policies and Fair Governance
Shirish Shanbhag 16 January 2025
Life in a cooperative housing society (CHS/the Society) comes with its own set of rules, rights and responsibilities. However, conflicts can arise when these are not clearly understood or followed. This week's Q&A addresses issues...
ArrayArray
Free Helpline
Legal Credit
Feedback