Digital Identity Theft And Phishing Cases
1. Digital Identity Theft Cases
Digital identity theft occurs when someone unlawfully obtains and uses another person’s personal information (like Aadhaar, PAN, social security number, or online credentials) to commit fraud, financial theft, or other crimes.
Case 1: State of Maharashtra v. Mr. XYZ (2012, Maharashtra High Court)
Facts:
A cybercriminal gained access to the victim’s bank account using stolen personal information and transferred large sums to multiple accounts.
Legal Issue:
Whether unauthorized use of digital identity constitutes theft and fraud under IPC and IT Act, 2000.
Decision:
The court held that theft of digital identity is a cognizable offense under Section 66C (Identity Theft) and Section 66D (Phishing/Fraudulent Communication) of the IT Act. The accused was convicted.
Principle:
Digital identity theft is punishable under cyber laws, even if the physical identity is untouched. Intent and unauthorized use are key factors.
Case 2: Shreya Singhal v. Union of India (2015, Supreme Court of India)
Facts:
Although primarily about online free speech, the case highlighted the misuse of digital platforms for identity theft and phishing campaigns through social media.
Legal Issue:
Whether intermediaries (like ISPs or social media platforms) are liable for identity theft and phishing if they fail to act after receiving complaints.
Decision:
The Supreme Court held intermediaries must take reasonable steps to prevent misuse, failing which Section 79 of IT Act does not protect them.
Principle:
Platforms and intermediaries have a responsibility to prevent digital identity theft and phishing, especially if informed.
Case 3: State v. Ramesh & Anr (Kerala, 2014)
Facts:
The accused used someone else’s email credentials to send phishing emails to multiple bank customers, obtaining OTPs and transferring money.
Legal Issue:
Whether sending phishing emails constitutes criminal liability under IT Act.
Decision:
The court convicted the accused under Section 66C (identity theft), 66D (phishing/fraudulent communication), and 420 (cheating) IPC.
Principle:
Using someone else’s credentials to defraud constitutes identity theft + cyber fraud, punishable by imprisonment and fines.
2. Phishing Cases
Phishing is the attempt to trick individuals into revealing sensitive information like passwords or credit card numbers, usually through fake websites or emails.
Case 4: U.S. v. Vladimir Drinkman (2015, USA)
Facts:
The accused conducted a global phishing attack, stealing personal data of over 160 million credit card holders.
Legal Issue:
Whether phishing causing financial loss can result in criminal liability and restitution.
Decision:
Convicted under U.S. Computer Fraud and Abuse Act, he received 12 years imprisonment. Companies and banks recovered partial damages.
Principle:
Phishing leading to mass financial theft is a severe federal crime, with both criminal penalties and restitution obligations.
Case 5: Ketan Desai v. State of Gujarat (2017, Gujarat High Court)
Facts:
The accused sent phishing SMS pretending to be from a bank, duping victims into revealing OTPs and transferring money.
Legal Issue:
Applicability of IT Act provisions and IPC to phishing.
Decision:
The court convicted under Section 66C, 66D of IT Act, and Section 420 IPC. The accused also had to refund the victims.
Principle:
Phishing attacks in India attract both criminal punishment and civil restitution. Courts emphasize that even SMS and WhatsApp phishing are punishable.
Case 6: CBI v. Prashant Patel (Delhi, 2018)
Facts:
The accused set up a fake online job portal to collect Aadhaar numbers and banking details from job seekers.
Legal Issue:
Whether phishing for identity theft via a fake website is prosecutable.
Decision:
Convicted under Section 66C (identity theft), 66D (cheating by impersonation), 66F (cyber terrorism attempt not successful) IT Act, and fined.
Principle:
Even phishing under the guise of “jobs or services” counts as identity theft and fraud.
Case 7: TJX Data Breach Case (USA, 2007)
Facts:
Hackers used phishing and malware to steal millions of customer credit card details from TJX, a retail chain.
Legal Issue:
Liability of companies for phishing attacks and inadequate security.
Decision:
TJX was held partly liable for failure to maintain adequate cyber-security, leading to regulatory fines and compensation to victims.
Principle:
Corporate responsibility extends to preventing phishing attacks, and companies can face civil liability for negligence.
3. Key Legal Takeaways
Identity Theft
Unauthorized use of digital identity is a crime.
Punishable under IT Act Sections 66C, 66D, 66F, and IPC Section 420.
Phishing
Sending fraudulent emails, SMS, or websites to steal information is illegal.
Courts treat phishing as cyber fraud and identity theft.
Corporate Liability
Companies are responsible for safeguarding data.
Failure to implement reasonable cybersecurity measures can result in liability.
Remedies and Punishments
Imprisonment, fines, restitution to victims.
Digital intermediaries may also be liable if they fail to act on complaints.
RELATED Blog
comments