Recently, there has been a surge of cases where duplicate SIM cards have been issued by the telecom service provider without due verification, often leading to unauthorised financial transactions. In this case, the complainant’s SIM card services were stopped and a duplicate SIM card was issued to a fraudulent person, leading to a loss of ₹20,00,000.
ON May 17, Vodafone Idea Limited was ordered to pay a penalty of ₹20,00,000 under Section 43A (compensation for failure to protect data) of the Information Technology Act, 2000 (IT Act) for issuing a duplicate SIM (subscriber identity module) card to an unauthorised person, which resulted in an unauthorised transaction causing a loss of that sum to a Vodafone Idea customer. The order was passed by the adjudicating officer and secretary, Department of Science and Technology, Government of Gujarat.
The complainant, based in Rajkot, Gujarat, had a post-paid corporate calling user group connection that was provided by Vodafone Idea Ltd. He operated a bank account with Dena Bank with that number.
On February 17, 2018, the complainant found his SIM card showing the ‘no-network’ sign. He submitted an application to get a new SIM card. When a SIM card was issued to the complainant, he could not receive incoming calls on it for some time.
On February 22, 2018, the complainant could not access net banking services and after that, he realised that his bank account’s password had been reset. He contacted the bank to reset his account login password. Once he logged in with the new password, he found that ₹20,00,000 had been transferred out of his account in four unauthorised transactions of ₹5,00,000 each.
The complainant immediately reported the matter to the bank and the commissioner of police, Rajkot. A first information report was lodged on March 22, 2018.
During the investigation, the complainant was informed that a new duplicate SIM card had been issued on his number on February 17, 2018. He registered his protest against the unauthorised activation of his SIM card without his consent and proper verification of documents.
He also enquired how the duplicate SIM card was issued by blocking his services. A legal notice was sent by him to Vodafone Idea on May 10, 2018.
What does the order say?
The adjudicating officer, in his order, stated that this is not the first time duplicate SIM cards have been issued by breaking the two-factor authentication.
In fact, he mentioned that in all such cases, the SIM cards had been issued by Vodafone Idea Ltd.
The order stated that gross negligence on the part of the service provider was committed as its failure in Know Your Customer verification enabled a fraudster to access the complainant’s mobile number and consequently other financial institutions attached to the number.
In this case, it was found that Vodafone Idea Ltd provided assistance to facilitate access in the context of Section 43(g) (penalty and compensation for damage to the computer, computer system) of the IT Act to a computer, computer system or computer network; hence, the company is liable to pay compensation under Section 43A.
The order noted, “When a subscriber gives his [proof of identity] and other identification documents to the telecom service provider, it gets attached to the mobile number and it is tagged with this personal data in its database. It is the telecom service provider to protect this data (sic) and ensure that such data is protected from unauthorised access.”
The adjudicating officer observed that while deactivating the original SIM card and activating the duplicate SIM card, the telecom service provider did not contact the original subscriber of the SIM. Moreover, the documents provided by the imposter were entirely bogus and fraudulent.
The adjudicating officer lamented, “If M/s Vodafone Idea Ltd. had been more diligent in verifying the identity of the person seeking the duplicate card, [the complainant’s] loss could have been avoided. I also consider the fact that his negligence on the part of M/s Vodafone Idea Ltd. (sic) has resulted in the compromise of the [one time password]-based authentication”.
Thus, the adjudicating officer ordered the complainant to be paid a penalty of INR 20,00,000 by Vodafone Idea Ltd within a period of 30 days from the date of the order.
Click here to view the full judgment in Jaydeep Vrujlal Depani & Ors versus Vodafone Idea Ltd & Ors. (Special Civil Complaint No: 2020/04).