Data theft by bank employees: Case Study and Remedies

Raj PagariyaCyber Security, Law

Modern-day banks store a plethora of personal and financial information of their customers. Right from Aadhar number, PAN number, address, mobile number, etc. to income tax returns, spending patterns, average monthly expenditure, property registration papers, and whatnot. In short, we, as customers, entrust the banks with every piece of information we share. However, the same may not always be the case. Just like any other organisation, banks are prone to insider’s threat. In the cyber ecosystem, insider’s threat refers to malicious employees of an organisation that steal, damage, or expose internal data or systems of an organisation that they are part of. At times, a malicious insider can be fully responsible for causing the entire data breach.

Recently in December 2019, an incident of stealing customer data by bank employees came to the surface. The Shamrao Vithal Cooperative (SVC) Bank registered an FIR for criminal breach of trust and data leak at the Srinagar police station in Thane against two of its current employee and one former employee. This FIR has been filed under Section 408 (criminal breach of trust by clerk or servant), Section 109 (Punishment of abetment if the act abetted is committed in consequence and where no express provision is made for its punishment), and Section 34 (Common intention) of the Indian Penal Code, 1860, along with Section 43A (Compensation for failure to protect data) and Section 66 (Computer-related offences) of the Information Technology Act, 2000. The bank, having its presence in 10 states via its 198 branches, has filed the case through its managing director, Ajit Venugopalan, on December 12, 2019. The accused have been identified as PS Shinde, RM Satam, and SN Kubal. It is pertinent to note that SN Kubal, the former employee, was also the general secretary of the employees’ union and he was dismissed in November 2017 on the ground of misconduct.

What actually happened?

As per the bank’s statement, the managing director was notified that SN Kubal had received confidential information of a customer. Following this, a detailed inquiry was initiated by the bank’s IT and Vigilance departments. In its report, the bank’s IT department found that between April 01, 2019, to October 24, 2019, two employees leaked personal confidential data of customers and employees from the Shared Network Access. The IT department identified these suspected employees as RM Satam and PS Shinde. They were posted in Coimbatore and Delhi respectively.

It is alleged that these two employees illegally gained access to the accounts of 447 customers, and made PDFs of the documents and mailed them to their personal email addresses. RM Satam then shared the data with Kubal. According to the bank, the employees had violated its information security management system (ISMS) policies and accordingly, RM Satam was suspended on October 25, 2019. PS Shinde claimed that he had accessed the data to inform the RBI and the police about some illegalities in the bank; however, the bank did not agree with this argument, and he was dismissed on November 27, 2019.

In the complaint, the bank has stated that this data leak harmed the SVC’s reputation, and it prompted many customers to withdraw their deposits before their maturity. This has resulted in a loss of approximately ₹29 crores to the bank.

What are the remedies for an affected organisation in a case like this?

In cases like these, an affected organisation, like SVC, has two remedies: civil as well as criminal. The affected organisation can file an FIR at the concerned police station under the provisions of the Indian Penal Code, 1860, and the Information Technology Act, 2000 specified above.

To claim the compensation, a civil suit can be filed against the accused for one or more act(s) enlisted in Section 43 of the Information Technology Act, 2000. Section 46 specifies that the power to adjudicate rests with an IT adjudicator appointed as per the manner prescribed by the Central Government. Here, an IT adjudicator can only decide in matters wherein the claim for injury or damage does not exceed ₹5 crores. For a claim for injury or damage exceeding ₹5 crores, the aggrieved party must file its application for the same before the competent court.

Has the bank filed a civil suit?

The bank has filed a civil suit against SN Kubal, PS Shinde, RM Satam, and others before the High Court of Judicature at Bombay’s ordinary original civil jurisdiction for compensation and damages worth ₹29 crores through Advocate Prashant Mali. As per the injunction order in IA Number 1/2019 in Suit (L) Number 1335/2019 available on the Bombay High Court’s website, the defendants, their servants, agents, or anyone claiming through them, are restrained from accessing, downloading, extracting, and or transferring in any manner and by any means, the sensitive confidential information from computer systems of the plaintiff bank. Through its order, the court has further restrained the defendants from forwarding, sharing, or transmitting, in any manner and by any means, the sensitive confidential data in custody of the defendants.

It must be noted here that in the first paragraph of this order, defendant number 1, 2, and 4 have stated that they will not part, in any manner, with any information that they have in their possession pertaining to the subject matter of the present suit and in relation to the records of the plaintiff bank till further orders of this notice of motion. They have also stated that they will not engage in any activity to access data on the bank’s websites.

Advocate Prashant Mali, a leading cyber expert and well-known lawyer, is representing the bank in this case. It is pertinent to note that he also handled the COSMOS bank hacking incident which is touted as the biggest hacking incident against a bank in recent times. In his conversation with the Mumbai Mirror, he said, “The employees have confessed to data theft because they were instigated by the bank ex-employee out of vengeance. The bank also has solid evidence to prove the involvement of these three accused. Crime of data theft with criminal breach of trust attracts a maximum of seven years of punishment, and we will pursue the matter to its logical conclusion to create reasonable deterrence.”

What is the significance of this case?

It is rare to see such cases get reported to the law enforcement agency while a civil suit for compensation is also filed along with. Section 43 of the Information Technology Act, 2000 prescribes for compensation to be given to the affected person for the acts specified in the same section. For the same set of acts, Section 66 prescribes imprisonment up to three years or fine up to ₹5 lakh or both. When Section 408 of the Indian Penal Code, 1860 is read along with Section 66 of the Information Technology Act, 2000, one is looking at imprisonment up to 7 years along with fine.

The statement made by defendant number 1, 2, and 4 is an implied acceptance that personal and confidential information of the plaintiff bank’s customers and employees is in their custody. Given that this statement is made before the Bombay High Court, the trial court may admit this statement as an admittance of the crime by the defendants.

It remains to be seen how this case progresses over the next course of hearings, as it is bound to set a precedent in cases of data theft by employees.