Cyber Security

What are the legal definitions of cybercrime, including hacking and data theft, in India?

Introduction

As India continues to digitalize its economy and public services, the threat of cybercrime has escalated dramatically. From unauthorized access to systems, to data theft, phishing, and identity fraud, cybercriminals target individuals, businesses, and government agencies alike. To address this, India has enacted laws under the Information Technology Act, 2000 (IT Act) and the Indian Penal Code (IPC) to define and penalize such offences.

Understanding the legal definitions of cybercrime, especially in the context of hacking, data theft, and related offences, is critical for businesses, individuals, and law enforcement.

What Is Cybercrime?

Cybercrime refers to any criminal activity that involves a computer, network, or digital device. It includes crimes where computers are either the target (e.g., hacking) or the tool (e.g., phishing scams or spreading malware).

In Indian law, cybercrime is primarily governed by:

  • The Information Technology Act, 2000 (as amended in 2008)

  • The Indian Penal Code (IPC), 1860

  • Supplemented by sectoral regulations (e.g., RBI guidelines, DPDPA 2023)

Key Legal Definitions and Provisions

1. Hacking – Section 66 of the IT Act

Definition:
Hacking is defined as unauthorized access to or damage of a computer system, data, or network, with the intention to destroy, delete, alter, or steal data, or diminish its value.

Legal Language (Section 66):
If any person, dishonestly or fraudulently, does any act referred to in Section 43 (such as accessing or downloading data without permission), they shall be punishable under Section 66.

Punishment:

  • Imprisonment up to 3 years

  • Fine up to ₹5 lakh

  • Or both

Example:
If a person gains access to a company’s internal server and deletes customer records, it constitutes hacking.

2. Data Theft – Section 43(b) & Section 66 of the IT Act

Definition:
Data theft is the unauthorized downloading, copying, or extraction of data, including personal or confidential information, from a computer system.

Legal Provision (Section 43(b)):
If a person downloads, copies, or extracts any data, database, or information from a system or network without permission, they are liable to pay damages.

When done with fraudulent or dishonest intent, it becomes a criminal offence under Section 66.

Punishment:
Same as hacking – up to 3 years of imprisonment, fine up to ₹5 lakh, or both.

Example:
A former employee accesses a company’s client database after resignation and copies it to sell to a competitor.

3. Identity Theft – Section 66C of the IT Act

Definition:
Using someone else’s identity credentials like passwords, biometric data, or digital signatures without authorization.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹1 lakh

Example:
Using another person’s Aadhaar number or credit card credentials to make online purchases.

4. Cheating by Personation Using Computer Resource – Section 66D

Definition:
Cheating someone by pretending to be another person using digital means (emails, social media, fake websites).

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹1 lakh

Example:
Creating a fake banking website to trick users into entering personal financial details.

5. Cyber Terrorism – Section 66F of the IT Act

Definition:
Unauthorized access to computer systems with the intent to threaten sovereignty, integrity, or security of India, or to cause death, injury, or damage to critical infrastructure.

Punishment:

  • Life imprisonment

Example:
A cyberattack on the railway network, air traffic control, or power grid with malicious intent.

6. Publishing Obscene or Private Images – Section 66E

Definition:
Capturing, publishing, or transmitting images of a person’s private areas without consent.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹2 lakh

Example:
Leaking private photographs of individuals without consent on social media.

7. Tampering With Computer Source Documents – Section 65

Definition:
Knowingly destroying, altering, or concealing computer source code or programs required to be maintained by law.

Punishment:

  • Up to 3 years of imprisonment

  • Fine up to ₹2 lakh

Example:
An IT employee deletes crucial software source code to disrupt services or hide fraud.

8. Sending Offensive Messages via Communication Service – Section 66A (Struck Down)

Note:
Section 66A, which dealt with sending “offensive” messages via email or social media, was struck down by the Supreme Court in 2015 (Shreya Singhal v. Union of India) for violating free speech.

9. Cybercrime Provisions Under Indian Penal Code (IPC)

While the IT Act is the main law, IPC sections are often used in parallel for related crimes:

Section 379 – Theft
If physical theft is involved alongside data theft, IPC 379 may be invoked.

Section 420 – Cheating and Dishonest Inducement
Used in email frauds, phishing, or online job scams.

Section 406 – Criminal Breach of Trust
Applicable when someone entrusted with data misuses it.

Section 468 – Forgery for Cheating
Applicable in fake documents or identity-related cyber fraud.

Civil vs Criminal Liability

Under the IT Act, certain offences (like unauthorized data access under Section 43) are civil offences, leading to compensation or damages. When coupled with dishonest or fraudulent intent (Section 66), they become criminal offences, punishable by imprisonment and fines.

Important Cases

1. Sony India Pvt. Ltd. v. Harmeet Singh
The first major cybercrime case involving credit card fraud through online shopping. The court upheld the applicability of the IT Act for e-commerce fraud.

2. State of Tamil Nadu v. Suhas Katti
One of the first convictions under cybercrime law. The accused posted obscene messages about a woman on a Yahoo message group, leading to a conviction under Sections 67 and 509 IPC.

Recent Developments and Future Frameworks

  1. Digital Personal Data Protection Act (DPDPA), 2023
    Once implemented, the DPDPA will introduce additional rules and penalties for data misuse, consent violations, and breach reporting.

  2. CERT-In Guidelines
    The Indian Computer Emergency Response Team (CERT-In) has made it mandatory to report cyber incidents (data breaches, system compromises) within 6 hours.

  3. Cyber Police Stations
    Special cybercrime cells have been established across major cities and states to investigate IT-related crimes.

Conclusion

India’s legal system has recognized the growing threat of cybercrime and has defined hacking, data theft, identity fraud, and online cheating in precise terms through the Information Technology Act, 2000, and supplemented by relevant provisions of the Indian Penal Code. These definitions carry strict punishments, including imprisonment and financial penalties. As digital dependency increases, businesses and individuals must stay aware of these laws, implement cyber hygiene practices, and report offences to relevant authorities promptly. Understanding these legal provisions not only helps in compliance and prevention but also plays a vital role in securing India’s digital ecosystem.

Protect yourself against cyber attacks

A cyber-attack is an attempt by an individual or group to obtain unauthorized access to a computer network or system. It may be executed for financial gain, to obtain data, or to damage the reputation of an individual or entity. Cyber-attacks are a growing concern in the financial services sector. In 2015, 8.5 million Canadian consumers were affected by cybercrime (Norton Cyber Security Insights Report 2016)

 

The financial services industry is shifting toward online products that make it easier for people to do business. But portals, online applications and mobile apps increase the ways in which cyber-attacks can occur against consumers.
FSCO’s regulated sectors, such as insurance providers, mortgage brokerages and pension plans, have a responsibility to protect information and provide a safe online environment for consumers. This includes implementing policies and processes that help prevent cybercrime and lay out the steps to take if a cyber-attack takes place.
However, criminals are finding new ways to steal confidential information even from those who are diligent in protecting their online profile. If you deal with any financial service organization online, it is important to be aware of the risks involved and the steps you can take to protect yourself.

What do cyber-attacks look like?

Some cyber-attacks may seem obvious to you, such as suspicious emails, but others can be hard to detect. Some of the most common ways criminals try to steal your information include:

Hacking: cyber criminals gain access to your device or an organization’s information technology systems to steal your information
Malware: viruses, spyware or adware are placed on your device to steal your information
Pharming: cyber criminals redirect an organization’s legitimate website to a similar-looking website that captures the information you enter
Phishing: fake emails, text messages and websites asking for your information, such as your social insurance number (SIN)
Spam: mass distribution of unwanted messages to you or from you to your contact list
Wi-Fi Eavesdropping: captures your online activity over an unsecure Wi-Fi network

How can you reduce the risks of a cyber-attack?

Practicing regular reviews of your online profile can reduce your exposure to cyber-attacks. Simple steps you can take – such as using strong passwords, changing passwords regularly for each of your devices and services, and updating software to the latest version – may address up to 80 per cent of the risk of compromises due to cyber-attacks (Insurance Institute, 2015). Other things you can do include:

 

  • Start a discussion with your financial service providers so you understand how your information is kept safe.
  • Avoid using public Wi-Fi when dealing with financial service providers and opt for an encrypted or secure connection. Turn off Wi-Fi and Bluetooth settings when you are not using them.
  • If you receive an email from a financial service provider asking for information, give them a call (on a number not given in the email) to confirm it is legitimate. When in doubt, delete it.
  • Use safe payment options, such as credit cards, when making purchases online. Avoid using money transfers – this is not a common practice in the financial services industry.
  • Find other tips and resources on Public Safety Canada’s website – Get Cyber Safe

CONTACT US FOR ANY SUPPORT

By

Security Tips- Types of spam filters

Security Tips

Never reply to spam. Doing so only identifies your phone, email or IM account as active to the sender and guarantees you will get further unwanted messages. The most effective way to protect against email spam is to use a filtering system: some filters are available to purchase (such as Spamtitan) but there are also spam filters available as free online downloads (POPfile, Spamfence, Spamihilator). When dealing with content that does not offer filtering, such as forums and comment sections, you essentially have to rely on your own better judgment: anything that looks like marketing or advertising or generally out of place usually isn’t worth your attention.

Types of Spam Filters

    • List-based

      filters essentially categorize users as either trusted or not trusted and allow messages only from trusted users. You can use either blacklisting or whitelisting techniques to create your own lists: blacklisting means creating a list that specifies which users to decline mail from, while you can whitelist by creating a list that specifies which users to accept mail from.

    • Content-based

      filters, such as the filters used by most webmail services, evaluate individual messages to determine whether they are legitimate or spam rather than blocking all messages from a particular email address. This is done by evaluating the words and phrases in an individual message. A variety of content filters exist. The most basic are word filters which simply block any message containing certain, pre-specified words. Heuristic filters are a little more sophisticated and evaluate patterns of text and series of words. Bayesian content filters are the most advanced as they use mathematical probability to determine which messages are spam.

    • The most effective way to defend against mobile phone spam is to protect your email address. Avoid giving out your email address in a public forum or, if it is absolutely necessary to do so, write it in such a way that a person can read it but not a computer (for instance, write out the @ sign as “at” or the periods as “dot”). To prevent sales calls on your mobile phone the strategy is very much the same: never give out your mobile number if you do not have to.

    • If you are receiving marketing calls on your mobile phone, you can add your number to the Do Not Call Registry.Telemarketers are not allowed to call numbers on this list: the exceptions are charities registered in Canada, political parties, and general-circulation newspapers. As well, telemarketers can call you if you have an “existing business relationship” with them: this is defined as having bought, leased or rented something from the telemarketer, having a written contract with the telemarketer that is still in effect or has expired less than eighteen months ago, or having asked the telemarketer about a product or survey in the last six months.

    • Well known VoIP providers (such as Vonage or Skype) carry calls through their closed systems and they already implement a certain amount of protection against SPIT. Much the same as with email spam filters, whitelisting seems to work effectively against SPIT because you are creating a safe and closed calling list

CONTACT US FOR ANY SUPPORT

By