Gujarat Tribunal Awards ₹1.05 Crore Compensation in SIM-Swap Fraud Case
Ahmedabad, August 8, 2025 — In a groundbreaking ruling under the Information Technology Act, the Government of Gujarat has ordered ICICI Bank to pay ₹1.05 crore as compensation to victims of a SIM-swap fraud, while also levying penalties against ICICI and Vodafone Idea Limited. The order, issued by Mona Khandhar, Principal Secretary of the Department of Science & Technology (DST) and adjudicating officer, marks a decisive move towards establishing accountability for intermediaries in cybercrime.
The SIM-Swap Scam: How ₹1.19 Crore Vanished
The SMS‑swap fraud took place on March 12, 2023, when cybercriminals orchestrated a SIM‑swap by sending a fraudulent email that mimicked Vodafone’s domain. This led Vodafone Idea to activate a duplicate SIM linked to the victims’ email-controlled phone number. The switch enabled criminals to intercept OTPs and execute 22 unauthorized transactions, draining ₹1.19 crore from the bank account of Collective Tradelinks Pvt Ltd, owned by Bharat and Prakash Mehta.The Indian Express+2The Times of India+2
Tribunal Findings: Where Accountability Lies
Vodafone Idea Ltd. was found negligent in its KYC and SIM issuance procedures, having issued the duplicate SIM without verifying the authenticity of the request. Consequently, Vodafone has been penalized ₹5 lakh under Section 43(g) of the IT Act.The Times of IndiaThePrint
ICICI Bank, on the other hand, failed to detect suspicious activities despite 22 high-value transfers completed in mere hours. The bank’s shortcomings in beneficiary verification, inaction in flagging unusual transactions, and failures in cybersecurity measures led to a ₹10 lakh penalty. Additionally, ICICI has been held liable under Sections 43 and 43A of the IT Act for inadequate protection of sensitive data and negligence.The Times of IndiaThe Indian ExpressThePrint
Compliance Mandates: What the Tribunal Ordered Next
Both entities are mandated to pay their respective compensation and penalties within six weeks of the order.Bhaskar English+7The Indian Express+7Bhaskar English+7 Additionally, the tribunal has directed:
-
Internal vulnerability checks to be implemented within three months
-
ICT platform upgrades, specifically for ICICI Bank, to be completed within six monthsBhaskar English+2Bhaskar English+2Facebook+8The Indian Express+8Bhaskar English+8
These directives aim to reinforce due diligence and secure infrastructure to mitigate future breaches.
Investigation & Legal Timeline
The complaint was filed at the Cybercrime Police Station in Ahmedabad. The probe, led by Inspector MR Paradva, uncovered the fraudulent network, resulting in the arrest of six suspects in West Bengal—including a Vodafone store manager believed to be involved in facilitating the SIM‑swap.Bhaskar English+6Bhaskar English+6The Times of India+6
Hearings were conducted over multiple dates in 2024, extending into January 2025, before the adjudication order was finalized on July 31, 2025.The Indian Express
Why This Ruling Matters
This decisive action represents a critical precedent in Indian cybersecurity jurisprudence:
-
Intermediary Liability Enforced: Telecom and banking intermediaries are being held responsible for lapses that lead to cyber fraud.
-
Cyber Redressal Strengthened: Victims now have a robust legal recourse under the IT Act against negligence.
-
Proactive Cybersecurity: The order pushes institutions to fortify infrastructure and procedural standards.
Voices from the Sector
Though no direct quotes were cited in the coverage, stakeholders advocate:
-
Enhanced KYC protocols and simulation of dual-channel confirmations for SIM changes
-
Banks may need to tighten transaction monitoring, suspicious pattern detection, and manual review for rapid transfers
-
Regulators should set clear SLAs for OTP delivery rescue mechanisms to prevent interception after SIM changes
Summary Table
| Stakeholder | Penalty | Compensation | Compliance Deadline |
|---|---|---|---|
| ICICI Bank | ₹10 lakh | ₹1.05 crore | Payment in 6 weeks; ICT upgrades in 6 months |
| Vodafone Idea Ltd. | ₹5 lakh | – | Payment in 6 weeks; vulnerability checks in 3 months |
What Next?
This ruling sends a strong message across industries: telecom operators and banks must bolster verification, adopt multi-layered authentication, and proactively mitigate cyber threats or face legal and financial consequences. As SIM-swap frauds become more sophisticated, such precedents are vital to safeguarding consumer trust and strengthening India’s cyber defenses.
