Karnataka HC Holds BSNL Liable for ₹55 Lakh in SIM-Swap Bank Fraud
The Karnataka High Court held BSNL vicariously liable for a 2019 SIM-swap fraud that drained ₹87.7 lakh from a cooperative bank, ordering over ₹55 lakh in compensation.
Bengaluru, June 6, 2026 — For over seven years, a 113-year-old cooperative bank in rural Shivamogga district endured a nightmare born of telecom negligence and sophisticated cybercrime. The High Court of Karnataka has now vindicated the victim, holding state-owned BSNL vicariously liable and ordering it to pay over ₹55 lakh in compensation — a ruling that sends a sharp message to telecom service providers (TSPs) across India.
Hero photo: the High Court of Karnataka (Attara Kacheri), Bengaluru, by Moheen Reeyad via Wikimedia Commons, licensed CC BY-SA 4.0.
The ordeal of the victim bank
Sri Basaveshwara Pattana Sahakara Bank Niyamitha (BPSBN), Shiralkoppa — a community cooperative bank established in 1913 — held its current account with Canara Bank, with internet banking enabled via a registered BSNL mobile number for One-Time Password (OTP) authentication.
Between February 6 and 7, 2019, seven unauthorised RTGS/NEFT transactions drained ₹87.70 lakh from the account. The root cause was a duplicate SIM card for the bank’s registered number, issued by a BSNL official at the Bengaluru office without any request, consent, authorisation, or verified KYC from the bank. This classic SIM-swap attack let fraudsters divert every OTP, bypass multi-factor authentication, and execute the heist.
Cyber Crime Police recovered ₹7.12 lakh and ₹30 lakh was reverse-credited, leaving a net principal loss of roughly ₹50.5 lakh. The bank’s insurer later paid ₹57.65 lakh — but, as the court would hold, that collateral benefit did not let BSNL off the hook.
- ₹87.70 lakh stolen across seven RTGS/NEFT transactions
- − ₹7.12 lakh recovered by Cyber Crime Police
- − ₹30 lakh reverse-credited by the banks
- = ~₹50.5 lakh net principal loss — the figure the court awarded
- ₹57.65 lakh insurance payout treated as a collateral benefit — it did not reduce BSNL’s liability
The Permanent Lok Adalat at Mangaluru (PLD No. 64/2021) found BSNL negligent but awarded only ₹5 lakh. Both sides challenged the order before the High Court via writ petitions under Articles 226/227.
The High Court’s analysis
Justice Suraj Govindaraj delivered a detailed order on June 1, 2026 (reserved on February 25, 2026), dismissing BSNL’s petition (W.P. No. 4674/2025) and partly allowing the bank’s petition (W.P. No. 16104/2025). The court enhanced compensation dramatically:
- ₹50,50,762 as principal for the net financial loss.
- ₹5 lakh as consequential damages for liquidity disruption, operational prejudice, and reputational harm.
- Interest at 9% per annum from February 7, 2019, payable within three months.
The key legal holdings:
- Jurisdiction upheld. The Permanent Lok Adalat had authority under Section 22C of the Legal Services Authorities Act, 1987 for disputes concerning a “public utility service” (telephone service under Section 22A). The dispute concerned deficiency in service and civil negligence, not a purely criminal matter, and the two-stage conciliation-then-adjudication process was validly followed.
- Negligence and proximate cause. Issuing a duplicate SIM without rigorous verification was a clear deficiency in service and breach of the duty of care. The court described TSPs as “custodians” and “vault keepers” of the authentication infrastructure underpinning digital banking, and held that where the subscriber is a bank using the number for high-value OTP transactions, the standard of care is heightened.
- Vicarious liability. BSNL was liable for the acts and omissions of its employee in the course of employment. Its own departmental disciplinary proceedings and the arraigning of the official as an accused amounted to an institutional acknowledgment of the lapse; an employer cannot treat the act as “within employment” for discipline yet “outside employment” to escape civil liability.
- Collateral source rule. Receipt of insurance proceeds and partial recoveries did not reduce or extinguish BSNL’s liability. Insurance is a benefit the victim secured through its own prudent contract; letting the wrongdoer benefit from it would be unjust.
- Canara Bank exonerated. No specific deficiency was proven in its authentication architecture or transaction processing. Civil liability turns on the balance of probabilities, distinct from criminal proof beyond reasonable doubt.
The court also urged banks to strengthen safeguards against SIM-swap attacks.
How this fits the global picture
The ruling aligns with an international trend toward holding telecom operators and banks accountable for SIM-swap fraud:
- United States. A 2020 Princeton study of five major prepaid carriers found that 80% of first-attempt SIM swaps succeeded because authentication was weak. In November 2023 the FCC adopted rules (FCC 23-95) requiring carriers to authenticate customers before a SIM change or port-out and to notify them immediately. Carriers have also paid: in an arbitration made public in 2025, T-Mobile was ordered to pay $33 million over a SIM swap that enabled roughly $165 million in cryptocurrency theft, with the arbitrator finding a Federal Communications Act violation.
- Litigation is still unfolding. In the long-running case of crypto investor Michael Terpin against AT&T, the Ninth Circuit revived the suit in 2024, reversing summary judgment on Federal Communications Act grounds and sending it toward a jury trial — a reminder that carrier liability for SIM-swap losses is still being actively tested.
- Spain. In a judgment dated April 2025, Spain’s Supreme Court held Ibercaja Banco liable after a customer lost €83,692 across 15 overnight transfers in a phishing-and-SIM-swap attack, placing the burden on the bank to prove the customer had acted with gross negligence.
- European Union and UK. Regulators impose controls on SIM porting, and courts increasingly scrutinise whichever party in the chain — telco or bank — was the weak link that allowed identity impersonation and OTP interception.
The Karnataka judgment stands out for imposing full civil liability on the telecom provider for consequential banking losses, treating telecom infrastructure as critical to the integrity of the financial system.
Why it matters
This is a victim-centric precedent with broad public value. It tells telecom operators that SIM issuance and replacement is not a low-stakes administrative task, and it pushes them toward stronger protocols — rigorous KYC, real-time notification to the existing number before a replacement activates, anomaly detection, and tighter handling of numbers linked to banking.
It also strengthens the case for moving beyond SMS-OTP toward app-based or hardware-token authentication, and it protects small cooperative and rural banks — the backbone of financial inclusion — from existential losses. Above all, it affirms that in a digital economy where OTP authentication underpins crores of transactions a day, the providers entrusted with the “last mile” of identity and access carry real responsibility. The era of the “it’s just a SIM card” excuse is narrowing.
Sources
- High Court of Karnataka, W.P. No. 4674/2025 and W.P. No. 16104/2025, order dated June 1, 2026 (Justice Suraj Govindaraj).
- Permanent Lok Adalat, Mangaluru, PLD No. 64/2021.
- Kevin Lee et al., “An Empirical Study of Wireless Carrier Authentication for SIM Swaps” (Princeton University, 2020).
- U.S. Federal Communications Commission, Report and Order FCC 23-95 on SIM-swap and port-out fraud (November 2023).
- SecurityWeek, “T-Mobile Coughed Up $33 Million in SIM Swap Lawsuit” (2025).
- GlobeNewswire, Ninth Circuit revives Terpin v. AT&T (2024).
- Commsrisk, “Spanish Supreme Court Holds Bank Liable for Losses Following SIM Swap” (2025).
- Hero photograph: High Court of Karnataka, Bangalore by Moheen Reeyad, Wikimedia Commons, CC BY-SA 4.0.