Maharashtra IT Dept Directs Axis Bank To Pay Rs. 1.76 Crore Due To Online Banking Security Lapses, Rs 50 Lakh As Compensation To Victim
In a significant order (dated January 21), Maharashtra's Department of Information Technology directed Axis Bank to reimburse Rs. 1.76 crore (with 18% interest) to Dhule Vikas Sahakari Bank Ltd for failing to ensure reasonable security practices. These lapses resulted in the violation of Section 43A, Information Technology Act, of 2000. This provision holds entities handling sensitive...
In a significant order (dated January 21), Maharashtra's Department of Information Technology directed Axis Bank to reimburse Rs. 1.76 crore (with 18% interest) to Dhule Vikas Sahakari Bank Ltd for failing to ensure reasonable security practices. These lapses resulted in the violation of Section 43A, Information Technology Act, of 2000. This provision holds entities handling sensitive personal data liable for failing to maintain reasonable security safeguards.
Pertinently, the department has also imposed legal charges of Rs. 3,00,000/- and compensation of Rs. 50,00,000/- for mental agony, pain, and undue harassment.
To summarise, the complainant bank had an account with Axis Bank at its Dhule branch for Cash Management Services (CMS), RTGS and NEFT. On June 7, 2020, the complainant's employee discovered certain unauthorized online transactions.
The complainant claimed that neither the maker nor the checker received the mandatory OTPs to complete the transactions. To support this, it also submitted that the Pay-Pro system was used, which requires a secure login process. This system ensures that transactions are only completed after verification by both, the maker and the checker. However, the complainant asserted that these safeguards were bypassed.
On the other hand, Axis Bank argued that the software “Any Desk” was installed for remote access in Dhule Vikas Sahakari Bank. Thus, there were host-to-host mode transactions wherein OTP generation was not required. Further, it had also filed FIR for hacking of its systems.
However, in the order, the department's principal secretary Parrag Jaiin Nainutia, observed that Axis Bank's negligence in securing its systems resulted in a compromise of the complainant's confidential information and fraudulent transactions. Further, the hacking of Axis Bank's systems highlighted a lapse in implementing the required measures for protecting sensitive customer data.
“Additionally, the absence of robust real-time monitoring and fraud detection mechanisms underscores Axis Bank's failure to comply with the prescribed standards for data protection and security under the IT Act and Reserve Bank of India guidelines. This lack of vigilance not only facilitated the unauthorized transactions but also caused immense financial and reputational harm to the complainant, highlighting the bank's non-compliance with statutory obligations.,” the order stated.
In view of this, the department held Axis Bank responsible for unauthorised transactions and directed the above-mentioned reimbursement along with the imposed cost.
Case Name: Dhule Vikas Sahakari Bank Ltd. V. Axis Bank Limited and another., COMPLAINT CASE NUMBER 03 OF 2019