Read Time: 06 minutes

Synopsis

The Delhi High Court, recently, issued an ex-parte ad-interim injunction in favor of Niva Bupa Health Insurance Company Limited in a case of data breach and extortion attempts by an anonymous hacker.

The bench of Justice Mini Pushkarna held, “the plaintiff has demonstrated a prima facie case for grant of injunction and in case no ex-parte ad-interim injunction is granted, the plaintiff will suffer an irreparable loss. Further, the balance of convenience also lies in favour of the plaintiff and against the defendants”. 

The plaintiff, a joint venture between Fettle Tone LLP, an affiliate of True North Fund VI LLP, and Bupa Singapore Holdings Pte. Limited, had rebranded as "Niva Bupa Health Insurance Company Limited" on July 23, 2021. On February 20, 2025, at approximately 12:39 PM, an email from an unidentified source was received by the plaintiff’s Director and Head of Legal, Compliance, and Regulatory Affairs, Mr. Partha Banerjee, and its Managing Director & CEO, Mr. Krishnan Ramachandran. The sender claimed to possess sensitive data of all Niva Bupa customers and insurance claims up to February 2025. A website, NivaBupaLeaks.com, was mentioned in the email, containing the leaked data, and a demand for payment was made to resolve the issue.

Subsequently, on February 21, 2025, at 12:14 AM, another email from the same source was received by the plaintiff’s MD & CEO, containing sample insurance claim documents. The sender emphasized the urgency of addressing the issue. Later that day, at 6:57 PM, a new email reiterated the threats and disclosed details of a policy issued that very day, proving unauthorized access to the plaintiff’s records.

On February 22, 2025, at 4:56 PM, another email warned of sustained damage over time unless a deal was reached. The sender also mentioned avoiding media interactions and attached a screenshot of an alleged inquiry from Thomson Reuters to validate the threat.

Senior Advocate Pradeep K. Bakshi, representing the plaintiff, submitted that the hacker had deployed sophisticated methods to bypass security protocols, reflecting a calculated intent to compromise and exploit the data. Senior Advocate Bakshi further highlighted a pattern of similar cyberattacks targeting financial service providers, citing past incidents involving other insurance companies. 

Senior Advocate Bakshi argued that unauthorized data exposure posed risks such as identity theft, financial fraud, and reputational harm. The misuse of confidential customer data by the hacker could lead to fraudulent transactions, phishing attempts, and regulatory violations.

To combat these threats, the plaintiff lodged an FIR on February 23, 2025, at Police Station Cyber South, Gurugram, and reported the matter to relevant regulatory authorities. The plaintiff contended that the breach could significantly undermine its market position and customer trust, thereby affecting business operations. It also expressed concerns that competitors might gain unauthorized access to proprietary customer data, posing further commercial risks.

The court, acknowledging the loss that would be faced by the plaintiff if the data is leaked, passed an ad interim injunction in favor of the plaintiffs.

For Plaintiff: Senior Advocate Mr. Pradeep K. Bakshi with Advocates Mohti Bakshi, Pururaj Aggarwal
Case Title: Niva Bupa Health Insurance Company Limited v Nicenic International Group Company (CS(COMM) 171/2025)