In a significant order, the secretary of information technology (IT) in Gujarat directed Vodafone Idea Ltd to pay a penalty of Rs20 lakh lost by its customer through a fraudulent subscriber identity module (SIM) swapping.
In an order last week, IT secretary Vijay Nehra, who is the adjudicating officer (AO) for cyber fraud cases under the IT Act, says, "...in this case, gross negligence on the part of the service provider and failure or lapses in know-your-customer (KYC) verifications enabled the fraudster to access the mobile number and consequently other financial institutions attached to the number. The telecom service provider has provided assistance to the wrongdoer to facilitate unauthorised access to the computer, computer system or computer network leading to a violation of Section 43 (g) and Section 43 A and unlawful loss or damage to the person affected."
"I think a fair penalty under the provisions of Section 43A of the IT Act or Rs20 lakh on Vodafone Idea would be just and appropriate. Accordingly, Vodafone Idea is directed to pay Rs20 lakh as a penalty to the complainant within 30 days, " the IT secretary says in the order.
Rajkot-based Jaydeep Vrujlal Depani, Manish Jamnadas Depani and Vrujlal Haribhai Depani had filed the complaint against Vodafone Idea, Dena Bank (now Bank of Baroda), Allahabad Bank, Federal Bank, Anita group and Gobinda Biswas. In this case, the fraudsters swapped the SIM for the mobile number linked by the Depanis with their account in Dena Bank.
On 17 February 2018, at about 6pm, Jaydeep Depani noticed that the mobile was not working and showing a no-network sign. Since he was busy with work and closing his business day, he considered visiting Vodafone Idea while leaving the office. However, he could not visit the service provider on that day and the next day, which was Sunday. He visited the Vodafone Idea office on 19 February 2018 and applied for a new SIM card.
He was issued a new SIM. However, it was not working properly, and Mr Depani could make only outgoing calls. He did not receive any incoming calls or messages on the new SIM. When he again enquired with Vodafone Idea, he was assured that the issue would be resolved soon.
The next day, he kept calling the Vodafone Idea representative but received a standard reply that the issue would be resolved shortly. On the evening of 21 February 2018, he started receiving incoming calls and messages.
The next day, when he tried to log in to the bank account with Dena Bank, he realised that the password had been reset. He contacted the Bank and reset the login password. After logging in with the new password, he found that Rs20 lakh was transferred from the account between 18th February and 21 February 2018 in four transactions of Rs5 lakh each.
He immediately reported the matter to Dena Bank and also filed a complaint before the commissioner of police at Rajkot. The complaint was converted into a first information report (FIR) on 22 March 2018.
During further queries, he was told that a new duplicate SIM card was issued for his number on 17 February 2018 from the point of sales or service centre of Vodafone Idea at Surat.
On 10 May 2018, the Depanis issued a legal notice to Vodafone Idea, stating that his mobile number associated with the bank account was deactivated without proper verification and following due procedure by Vodafone Idea, due to which they suffered a considerable loss of Rs20 lakh.
During the hearing, all banks contended that they had taken all necessary precautions. "Fraudulent transfer of money from the Depanis' account was entirely on account of lapses on the part of Vodafone Idea in issuing duplicate SIM to the fraudster without taking any precautions necessary for KYC."
On the other hand, Vodafone Idea contended that it had no knowledge or awareness about the mobile number being used for operating bank accounts by the Depanis. "We are not connected with the fraudulent withdrawal of money from the Depanis' account and issued the duplicate SIM card to an imposter in good faith after complying with the necessary formalities for the issuance of another SIM card when it is reported to be lost," it says.
Mr Nehra, the IT secretary, observed that, as an AO, it is not the first case where the complainant's SIM card was inactivated, and a duplicate card was issued, allowing the fraudster to breach the second layer of the two-factor authentication (2FA). He also mentioned that similar things might have happened with other consumers as well, but they chose not to represent their cases to the AO.
"Nevertheless, given the gravity of the complaint in the present case, and given the feedback concerning other cases in which SIM provided by Vodafone Idea was either cloned or duplicate SIM was given, I feel it necessary to instruct, Vodafone Idea to strengthen its internal processes in relation to the issuance of duplicate SIMs," he noted.
The AO also pointed out that between deactivating of original SIM and activating a duplicate SIM, the telecom services provider or its representative never makes any attempt to contact the original subscriber on the original SIM or the alternate contact number/s, if for nothing else, only to ascertain the response from the other end.
In the case of Depanis, Mr Nehra categorically mentioned that both the original KYC form and documents submitted by the fraudster reveal that the subscriber's photographs, date of birth, and PAN card are quite different. "No expert is required to compare and come to the conclusion that the applicant for the duplicate SIM was not the subscriber and such a claim was entirely bogus and fraudulent. Clearly, the claim of Vodafone Idea that the details were verified and checked is incorrect and unacceptable."
The AO found Vodafone Idea liable under Sections 43(g) and 43A and imposed a penalty of Rs20 lakh on the telco for issuing a duplicate SIM without any verification or checking the KYC documents submitted by the fraudster.
(Special Civil Complaint No.2020/04 Date: 17 May 2023)