The Bombay High Court has issued urgent ad-interim relief in favour of Generali Central Life Insurance Company Limited following a ransomware attack on its systems by a hacker group identifying itself as “Medusa.” The court directed that all accounts, domain names, and communication channels associated with the breach be blocked and disabled immediately by relevant authorities, and restrained the hacker and all persons acting on its behalf from exploiting or disclosing the insurer’s confidential and customer data.
Generali presented before the court that its internal systems were breached, and the attacker had posted demands for ransom in U.S. dollars. The hacker group threatened to make the stolen data available to any party willing to pay or to delete the data entirely if payment was not made. The complaint showed that three ransom options had been proposed: a daily extension for the attack, download of all data for a sum, or deletion of all data for a higher sum. As part of the relief sought, Generali impleaded the unknown attacker as John Doe, given that the identity of the perpetrator remained unknown.
Justice Arif S. Doctor, upon hearing the matter, accepted the insurer’s submission that disclosure of the stolen data would yield severe and irreparable harm, and held that the balance of convenience tilted decisively in favour of the applicant. The court observed that once stolen data begins circulating or traded in public domains, the consequences are overwhelming and irreversible. Accordingly, the court restrained the hacker group from using, copying, transmitting, or disclosing Generali’s confidential information by any medium or on any platform.
Further directions were issued to the Union of India through the Department of Telecommunications and other authorities. They were ordered to disable, block or delete any accounts, domain names, phone numbers or email addresses linked to the stolen data. If Generali identifies further misuse or new domains or accounts connected to the breach, the authorities must take action within 24 hours to disable them. The authorities were also directed to file an affidavit confirming compliance with these measures.
The relief granted draws on the analogy of prior decisions in the Bombay High Court, such as in the HDFC Life Insurance v. Meta Platforms case, where relief was granted to restrain misuse of corporate data by unknown hackers. The court’s order underscores the principle that courts have to act swiftly in cyber-attack situations to contain harm and prevent misuse when the perpetrators hide behind anonymity.
Generali was represented before the court by senior and other advocates, while the DoT and related authorities appeared in response. The order marks a significant judicial intervention in cyber litigation, compelling state machinery to proactively assist in curbing data proliferation while recognizing the fiduciary and privacy interests of companies and their customers.
0 Comments
Thank you for your response. It will help us to improve in the future.