Delhi High Court Restrains Disclosure of Axis Max Life Insurance Customer Data | Bars Threatened Leak on Dark Web And Online Platforms | Directs Gmail, LinkedIn And X To Trace Unknown Extortionist
Safiya Malik
The High Court of Delhi Single Bench of Justice Saurabh Banerjee issued a comprehensive interim injunction against an unidentified entity accused of threatening to disseminate sensitive and confidential customer data belonging to a leading insurance provider. The Court directed a series of preventive and investigatory actions to safeguard customer privacy and the plaintiff’s data, brand reputation, and regulatory obligations. In view of the serious risks posed to public interest, the Court granted urgent relief and imposed a bar on any use, distribution, or publication of the said data by any means whatsoever, including via dark web or online platforms. Further, the Court also ordered disclosure of the identities linked with the email and social media accounts used in the data breach and extortion attempt. The matter was listed for further hearing on 11 November 2025.
The plaintiff is a registered insurance company operating under the Companies Act, 1956, providing insurance services in India since 2000. Initially functioning under the brand names "Max New York Life" and "Max Life" since 2001, it recently rebranded as "Axis Max Life" in December 2024. The plaintiff holds valid registrations with the Insurance Regulatory and Development Authority of India (IRDAI) and is a recognised brand across India. It owns the domain names "www.maxlifeinsurance.com" (registered in 2005) and "www.axismaxlife.com" (registered in 2024).
The company uses these platforms and digital systems to store sensitive personal data of its customers, including names, ID proofs, contact details, policy details, PAN, banking information, and health data. The plaintiff submitted that it has implemented robust data security protocols aligned with IRDAI regulations to protect this information.
On 23 June 2025, an email was sent to three official addresses of the plaintiff from "rajdeepjewellers6@gmail.com" addressed to one Ms. Renuka Singh, Chief Manager - Marketing. The email, sent by an unidentified entity (defendant no.3), claimed possession of confidential customer data and threatened to publish the same on the dark web if the plaintiff failed to negotiate. The plaintiff responded on 29 June 2025 requesting sample data to assess the authenticity of the threat.
Subsequently, the defendant sent multiple emails reiterating the threat, including emails on 29 June and 30 June 2025, the latter attaching sample data of 50,000 customers. The defendant demanded a payment of 200 Ethereum (valued at INR 4.44 crore approx.) and warned of publishing the entire data set of 20 lakh customers if demands were not met.
The plaintiff attempted to delay the process by stating it was still reviewing the information. However, further emails from the defendant reinforced the demand. Additionally, the defendant attempted to connect with Ms. Singh via LinkedIn and was found operating profiles on other platforms including X and Academia.edu, all tied to the same email ID.
A validation process confirmed the accuracy of the sample data, indicating a real breach. The plaintiff initiated a cyber-security assessment and filed a criminal complaint (No. 1315-CAS dated 03.07.2025) with the Cyber Crime Police Station in Gurugram.
To ensure comprehensive redressal, the plaintiff impleaded various parties:
- Union of India (defendants no.1 and 2) for enforcement of compliance orders.
- BSNL and MTNL (defendants no.5 and 8) for the same purpose.
- Google LLC (defendant no.13), since the offending email was created via Gmail.
- LinkedIn (defendant no.15), X (defendant no.16), and Academia.edu (defendant no.17) for account disclosure.
- Internet Service Providers (defendants no.4 to 12) for enforcement support.
- Social media intermediaries (defendants no.14, 18, 19, and 20) for assistance in tracing the identity and blocking access.
The plaintiff contended that the attempted extortion and data breach not only jeopardise its commercial interests and regulatory obligations but also pose significant public harm. It stated that such sensitive information could lead to impersonation, financial fraud, and other criminal activities.
Citing prior cases such as Star Health and Allied Insurance Co. Ltd. vs. Telegram Messenger and Niva Bupa Health Insurance Company Ltd. vs. Telegram FZ-LLC, the plaintiff underscored the urgency of preventing unlawful disclosure of customer data.
The Court recorded that "any disclosure/publishing/selling i.e. misuse of the sensitive confidential and personal data of the plaintiff as also its customers... poses a significant risk to the plaintiff’s recognized brand and reputation, customer trust and regulatory obligations."
It further noted, "the plaintiff is not a fly by night operator and, in fact, is a leading insurance provider in India... clients share with the plaintiff highly sensitive information which if misused can drive the customers away thereby, damaging the plaintiff’s market share and brand integrity."
The Court recorded the likely consequences of letting the unknown defendant proceed with its threats: "Letting anyone like the defendant no.3/ unknown entity(s) to carry on with its activities will lead to huge ramifications, especially, with the common man at large being at risk with personal details out in the open with no amount of confidentiality left with."
Noting the nature of data involved, it stated: "Such sensitive data can be misused for a variety of purposes including for the purpose of impersonating the plaintiff... [this] would also involve infringement of the plaintiff’s registered trademark and passing off."
The Court found that the plaintiff had made out a prima facie case, holding that "the balance of probabilities and convenience tilt in favour for grant of an ex parte ad interim injunction in favour of the plaintiff."
The Court restrained any person, including the defendant no.3 or anyone acting on its behalf, from "using, copying, publishing, distributing, transmitting, communicating, or disclosing to any person, by any means whatsoever... any confidential or sensitive personal information or data belonging to the plaintiff or its customers."
It further restrained the same persons from "infringing, passing off, or using the registered trademarks licensed to use by the plaintiff... in any medium/ form including television, print media, and/or the internet."
Google LLC (defendant no.13) was directed to block, suspend, and preserve the email account "rajdeepjewellers6@gmail.com" and submit on affidavit "all available details of the defendant no.3/ unknown entity(s)... including their names, addresses, email addresses, contact details, URLs, IP addresses from where the said email account was accessed, and location history."
LinkedIn, X, and Academia.edu were directed to similarly disclose user details associated with URLs:
- com/jewellersr76650
- academia.edu/JEWELLERSRAJDEEP
The Department of Telecommunications (DoT) and Ministry of Electronics and Information Technology (MEITY) were directed to ensure compliance by ISPs and telecom operators under their jurisdiction.
Defendants no.4 to 20 were directed to "remove, delete, block, and disable within 24 hours upon intimation from the plaintiff all/ any subsequently discovered domain names, phone numbers, webpages, accounts, groups, URLs, email accounts, and/ or content... in respect of any information or data belonging to the plaintiff or its customers."
Defendant no.3 was directed to "permanently delete and destroy all digital and physical copies of the information or data belonging to the plaintiff or its customers... and to file a detailed affidavit of compliance within a period of two weeks."
Learned counsel appearing for defendants nos.1, 2, 13, 14, 18, 19 and 20 on advance service accept notices. They seek, and are granted, four weeks for filing reply(ies). Rejoinder(s) thereto, if any, be filed within two weeks thereafter.
Upon the plaintiff taking requisite steps, issue notice to the remaining defendants through all permissible modes returnable before the Court on 11.11.2025.
Reply, if any, be filed within four weeks from the date of service. Rejoinder(s) thereto, if any, be filed within two weeks thereafter.
The provisions of Order XXXIX Rule 3 CPC be complied forthwith.
List before Court 11.11.2025.
Advocates Representing the Parties:
For the Plaintiff: Mr. Pradeep Bakshi, Senior Advocate with Mr. Darpan Wadhwa, Ms. Udita Singh, and Ms. Divita Vyas, Advocates
For the Respondents: Mr. Shashank Dixit, CGSC with Mr. Kunaj Raj, Advocate; Mr. Varun Pathak, Mr. Tejpal Singh Rathore and Ms. Prasidhi Agrawal, Advocates; Ms. Swati Agarwal, Mr. Shashank Mishra, Mr. Vaarish Sawlani and Ms. Vedika Rathore, Advocates; Ms. Anushka Sharma, Advocate
Case Title: Axis Max Life Insurance Limited vs. Union of India & Ors.
Case Number: CS(COMM) 666/2025
Bench: Justice Saurabh Banerjee
