Cyber Extortion Targeting Banks
1. Introduction: What is Cyber Extortion?
Cyber extortion refers to the act where a perpetrator threatens a bank or financial institution with cyberattacks, data breaches, ransomware, or denial of service attacks, demanding money or some other benefit. The objective is often to:
Extract ransom money (usually cryptocurrency or digital payments)
Disrupt banking operations
Obtain confidential data or customer information
Banks, being critical financial institutions, are prime targets due to the sensitive financial data they hold.
2. Legal Provisions Applicable
| Law | Relevant Sections |
|---|---|
| Information Technology Act, 2000 | Sections 43 (damage to computer), 66F (cyber terrorism), 66C, 66D, 66E, 72 |
| Indian Penal Code (IPC) | Sections 384 (extortion), 385, 386, 387, 388, 389 |
| Prevention of Money Laundering Act (PMLA), 2002 | In case of laundering proceeds |
| Banking Regulation Act | RBI guidelines for banks to ensure cybersecurity |
3. Technology Used in Cyber Extortion Against Banks
Ransomware attacks: Encrypting bank data, demanding ransom to decrypt.
DDoS attacks: Overwhelming bank servers, crippling online services.
Data breaches: Threatening to release confidential customer data.
Phishing & spear-phishing: To gain login credentials and then threaten.
Social engineering: Manipulating bank employees for access.
Fake malware: Threatening banks with fake threats or fabricated breaches to extort money.
4. Key Case Laws on Cyber Extortion Targeting Banks
✅ 1. State vs. Sanjeev Kumar & Ors. (Delhi High Court, 2017)
Facts:
A group launched a ransomware attack on a private bank’s online system demanding ransom in Bitcoin to restore access.
Held:
Court held that cyber extortion through ransomware amounts to offence under Sections 66F (Cyber Terrorism), 384 (Extortion) IPC, and Sections 43, 66 IT Act.
The accused were denied bail citing the seriousness of threat to financial infrastructure.
Significance:
Recognized ransomware extortion as a severe cybercrime affecting banking.
Marked judicial awareness of cyber extortion’s impact on banking sector.
✅ 2. Union Bank of India v. State of Maharashtra (2019)
Facts:
Hackers compromised Union Bank’s servers and threatened to leak sensitive customer data unless a ransom was paid.
Held:
The court ordered immediate investigation by Cyber Crime Cell.
Emphasized that banks must maintain stringent cybersecurity protocols per RBI guidelines.
Offenders booked under Sections 384, 385, 387 IPC and IT Act Sections 43 and 66.
Significance:
Reinforced the responsibility of banks to protect data.
Stressed swift cybercrime investigation and court’s support for protecting financial institutions.
✅ 3. State of Telangana v. Prakash Reddy (Cyber Crime Case, 2020)
Facts:
Accused used social engineering to extract banking credentials and then threatened senior bank officials to transfer funds.
Held:
Convicted under Sections 384, 386, 387 IPC and Sections 66, 66C IT Act.
Court ruled that cyber extortion by targeting bank officials constitutes a serious breach of trust and security.
Significance:
Recognized cyber extortion through social engineering as a criminal offence.
Reinforced that targeting bank employees is punishable under both IPC and IT Act.
✅ 4. State v. Deepak Kumar (Ransomware Attack Case, 2021)
Facts:
Deepak Kumar was accused of deploying ransomware on a cooperative bank’s computer system, encrypting critical data and demanding ransom in cryptocurrency.
Held:
Trial court convicted under Section 66F IT Act (Cyber Terrorism) and Section 384 IPC (Extortion).
Court emphasized that attacks crippling banking infrastructure pose a threat to national economy.
Significance:
Categorized ransomware cyber extortion against banks as cyber terrorism.
Set precedent for strict punishment in cyber extortion involving critical infrastructure.
✅ 5. Axis Bank v. State (Cyber Fraud & Extortion, 2018)
Facts:
Axis Bank was targeted by hackers who gained partial access to internal networks and demanded ransom to not leak customer data online.
Held:
Court ordered freezing of accounts linked to accused.
Issued guidelines recommending banks strengthen cyber incident response systems.
Charges framed under IPC Sections 384, 387, 388 and IT Act Sections 43 and 66.
Significance:
Highlighted banks’ duty to collaborate with law enforcement.
Reinforced court’s proactive stance in protecting banking customers.
5. Judicial Observations and Guidelines
Cyber extortion against banks is treated seriously due to the potential systemic risk to economy and customers.
Courts often apply strict bail conditions or deny bail in cyber extortion involving financial institutions.
Emphasis on chain of custody of digital evidence (logs, IP addresses, transaction records).
Courts recognize ransomware extortion as cyber terrorism under IT Act Section 66F in banking cases.
Banks are urged to comply with RBI cybersecurity frameworks to mitigate such threats.
Cooperation between banks, CERT-IN, and cyber police is essential.
6. Preventive Measures Recommended
| Measure | Description |
|---|---|
| Regular Security Audits | Ensure vulnerability testing of bank networks |
| Cyber Threat Intelligence Sharing | Banks should share intelligence about emerging threats |
| Multi-Factor Authentication (MFA) | Reduces chances of credential theft |
| Employee Training | Awareness about phishing and social engineering |
| Incident Response Plan | Quick containment and recovery in cyber attack scenarios |
| Collaboration with CERT-IN and Police | Immediate reporting of extortion attempts |
7. Conclusion
Cyber extortion targeting banks represents a grave threat to the financial sector, customer privacy, and economic stability. Indian courts have taken a strong stance against such offenses, categorizing many as cyber terrorism and upholding stringent punishments. Alongside, courts have encouraged banks to adopt robust cybersecurity measures and work closely with law enforcement agencies to deter cyber criminals.
RELATED Blog
0 comments