The Delhi High Court has granted interim relief to Niva Bupa Health Insurance Company Limited in a case involving a serious data breach and an extortion attempt by an anonymous hacker.
Justice Mini Pushkarna issued several directives to prevent the unauthorized release of sensitive customer data and to help identify those responsible for the cyberattack.
Hacker Threatens to Leak Customer Data
The breach was discovered on February 20 when senior executives at Niva Bupa received an email from an unknown sender claiming to have accessed confidential customer and insurance claims data. The hacker, who identified themselves as “xenZen,” demanded a ransom and threatened to publish the data on a website, NivaBupaLeaks.com, if the company failed to comply.
The hacker also claimed to have successfully targeted other insurance firms, including Star Health, and warned Niva Bupa of severe consequences if their demands were not met. In the following days, the hacker sent multiple emails containing samples of stolen data, including policy details and customer information, along with threats of further leaks.
Niva Bupa Moves Court for Protection
In response, Niva Bupa filed a lawsuit seeking a permanent injunction and damages against the anonymous hacker, referred to as “John Doe” (Defendant No. 15). The company argued that the breach posed serious risks, including identity theft, financial fraud, and reputational damage.
The insurer also raised concerns that competitors could misuse the stolen data, potentially harming its market position and customer trust.
High Court Issues Key Directives
Finding merit in Niva Bupa’s case, the Delhi High Court passed a series of directives to prevent further harm:
- Blocking of Rogue Websites – The Court directed domain name registrars and authorities to remove, block, and disable the websites NivaBupaLeaks.com and https://nivabupaleaks.st/ within 24 hours of notification by Niva Bupa.
- Restraining the Hacker – The John Doe defendant and any associates were barred from using, copying, publishing, or distributing Niva Bupa’s confidential data on any platform.
- Protection of Trademarks – The Court prohibited the defendant from infringing on Niva Bupa’s trademarks, including “Bupa” and “Niva Bupa,” or creating misleading content that could falsely suggest an association with the company.
- Identifying the Hacker – Authorities and domain hosts were ordered to disclose all known details of the hacker, including KYC information, contact details, and IP addresses linked to the rogue websites and email accounts.
- Preventing Future Breaches – Domain registrars and internet service providers were instructed to block any future attempts to register domains using Niva Bupa’s trademarks.
The Court also noted that if an injunction was not granted, Niva Bupa would suffer irreparable loss, and the balance of convenience was in its favor.
Second Data Breach in Recent Months
This is not the first time Niva Bupa has faced a cyberattack. In November 2024, the company received an email from a hacker claiming to have obtained access to a large portion of its sensitive customer data.
At that time, Niva Bupa had also approached the High Court, which issued a similar order directing online platforms, including Telegram, to block accounts linked to the hacker.
Next Hearing on August 28
In the latest case, the High Court issued notices to all defendants, directing them to file their replies within four weeks. The matter will be heard next on August 28.
Niva Bupa was represented in court by Senior Advocate Pradeep K Bakshi, along with advocates Mohti Bakshi and Pururaj Aggarwal.
-
-
-
-
-
-
