At a time when threats to data security have taken centre-stage, a public sector bank has been faulted for ‘causing harassment’ to a customer whose net banking credentials were compromised for no fault of his.

Acting on a complaint from Balaji Srinivasan, a Hyderabad-based software engineer, the Central Information Commission (CIC) chastised respondent Indian Bank for dragging its feet in the case, and awarded a token compensation to the appellant.

‘Serious breach’

The personal credentials of the appellant’s net banking account were found compromised on December 6, 2014, with the name, address, PAN and mobile number having been affected.

These details were replaced with zeroes and cross signs. The breach was so serious that the net banking platform failed to display the two secret questions pre-set as security keys and demanded him to re-set the security keys by generating an OTP.

Since he did not get satisfactory responses from the bank regarding the breach, Srinivasan took recourse to an RTI application dated July 7, 2015, but to no avail.

The bank later admitted to changes in the net banking profile of the appellant’s account and claimed the problem had occurred in the course of migration of data to Core Banking System (CBS) and rectified the mistake subsequently.

Srinivasan stated to the CIC that the issue raised by him is a matter of larger public interest concerning the security of customer accounts in various banks, which it agreed with.

The submission that the mistake occurred during migration of data and that it has been rectified does not answer the queries of the appellant, the CIC noted in its final order dated July 28, 2017.

It asked the bank to either provide the specific information sought by the appellant through his RTI applications or file a sworn affidavit, explaining in detail the reason(s) underlying the security breach.

The bank stated that it will file a sworn affidavit. The CIC directed it to do the same with a copy to the appellant within 15 days of the receipt of its order, and keep it posted.

Token compensation

The affidavit should indicate the date on which the changes were made to the appellant’s account and the date on which the mistake was rectified. The CIC expects the respondents to give a reply that explains the factors underlying the mistake, rather than taking shelter behind a general submission, such as problems connected with the migration of data to CBS.

It also noted that the appellant had not only suffered harassment, but also did not get a satisfactory reply from the bank to his queries.

“It is difficult to compensate an appellant for such harassment in monetary terms. However, by virtue of the power vested in us under Section 19 (8) (b) of the RTI Act, we direct the bank to pay a token compensation of ₹5,000 to the appellant. It should ensure that this is done within 10 days of the receipt of its order, under intimation to the CIC.”