In a significant order reinforcing the constitutional and statutory protection accorded to children’s personal data, the Bombay High Court has granted urgent ex-parte interim relief restraining an alleged cybercriminal group from publishing or disseminating highly sensitive personal information relating to thousands of school children enrolled in educational institutions managed by the Pratiksha Foundation Charitable Trust. Justice Arif S. Doctor, while exercising the Court’s equitable jurisdiction, directed the alleged hacker group, identified as “FulcrumSec”, from leaking, publishing, selling or otherwise disclosing the stolen information and further directed Google and other intermediaries to block the email identifiers allegedly being used by the cybercriminals to issue extortion threats. The order reflects the judiciary’s increasing recognition that cyberattacks targeting educational institutions are no longer merely financial crimes but constitute serious violations of children’s privacy, dignity and informational autonomy.
The suit was instituted after the charitable trust alleged that its digital systems had been compromised by the hacker group, which subsequently demanded a ransom of USD 750,000 in exchange for not releasing confidential information relating to students studying in schools operated by the Trust in Mumbai as well as overseas. According to the pleadings placed before the Court, the compromised database allegedly contained an extraordinary volume of highly sensitive personal information, including children’s medical records, psychological and mental health assessments, counselling reports, daily movement records within school premises, parents’ financial and occupational information, residential details and other confidential educational records. The plaintiffs further alleged that the hackers had escalated the threat by directly emailing one of the parents and disclosing confidential mental health information concerning children, thereby demonstrating both possession of the stolen data and an intention to publicly disseminate it if the ransom demand remained unmet.
Considering the urgency of the situation, Justice Arif Doctor granted an ex-parte ad-interim injunction without issuing prior notice to the defendants. The Court observed that disclosure of such sensitive information concerning minors would result in irreparable injury incapable of being compensated through monetary damages. Recognising the exceptional nature of the threat, the Court restrained the defendants, their associates and all persons acting on their behalf from publishing, leaking, circulating, selling or otherwise communicating the confidential data to any third party. Simultaneously, Google and other intermediaries were directed to block the email accounts allegedly being used by the hacker group for communicating extortion demands and distributing stolen information. The matter has been directed to be listed for further consideration after completion of procedural formalities.
Although the order is interlocutory in nature, its legal significance extends well beyond the immediate dispute. It represents one of the earliest judicial interventions directly addressing mass cyber extortion involving children’s personal information in the context of India’s newly evolving data protection framework. Traditionally, Indian courts dealing with cybercrime have primarily focused upon financial fraud, intellectual property theft or commercial data breaches. The present case, however, concerns the unauthorised acquisition and threatened disclosure of deeply personal information relating to minors a category of data that occupies a specially protected position under both constitutional jurisprudence and the Digital Personal Data Protection Act, 2023 (DPDP Act).
The proceedings assume particular importance because the DPDP Act establishes an enhanced protection regime for children’s personal data. Section 9 of the Act requires verifiable parental consent before processing the personal data of children and prohibits processing likely to have a detrimental effect upon their well-being. The legislative policy reflects the recognition that children constitute a particularly vulnerable class of data principals whose informational privacy requires greater protection than that afforded to adults. Although the present litigation primarily concerns an alleged criminal breach by external hackers rather than lawful processing by a data fiduciary, the Court’s intervention complements the statutory objective underlying the DPDP Act by preventing further dissemination of unlawfully acquired children’s data.
The case also illustrates the continuing constitutional evolution of informational privacy following the Supreme Court’s landmark decision in Justice K.S. Puttaswamy v. Union of India. In that judgment, a nine-judge Bench unequivocally recognised privacy as a fundamental right flowing from Article 21 of the Constitution. Importantly, the Court acknowledged that informational privacy the right to control the collection, storage, dissemination and use of personal information forms an essential component of individual dignity. Where the affected individuals are children, the constitutional obligation to safeguard informational privacy becomes even more compelling because minors often lack the legal and practical capacity to protect their own digital identities.
From a cyber law perspective, the proceedings demonstrate the increasing willingness of constitutional courts to deploy traditional equitable remedies against modern cyber threats. Ex-parte injunctions have historically been associated with intellectual property disputes, trademark infringement and protection of confidential commercial information. The Bombay High Court’s order illustrates how these equitable principles are now being adapted to digital privacy disputes where delay itself may irreversibly defeat justice. Once sensitive personal information is published on the internet or dark web, subsequent removal often becomes practically impossible. Consequently, preventive judicial intervention assumes greater significance than post-publication remedies.
Another noteworthy feature of the order concerns intermediary cooperation. Instead of limiting relief solely against the unidentified hackers, the Court also directed intermediaries to disable the communication channels allegedly being used to facilitate the cyber extortion. This reflects the increasingly collaborative regulatory model emerging under Indian cyber law, where effective protection frequently requires coordinated action by courts, investigating agencies, internet intermediaries and affected institutions. Such directions also align with the due diligence obligations imposed upon intermediaries under the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules.
The litigation further underscores the growing cyber security risks confronting educational institutions. Schools today maintain extensive digital repositories containing not merely academic records but also medical histories, behavioural assessments, biometric information, emergency contact details and counselling records. These databases often contain information far more sensitive than ordinary commercial data. Consequently, educational institutions have increasingly become attractive targets for ransomware groups seeking to exploit the emotional vulnerability of parents and administrators through extortion. The present proceedings highlight the urgent need for robust cyber security infrastructure, periodic vulnerability assessments and effective incident response mechanisms within educational institutions entrusted with children’s data.
The order also raises broader questions concerning institutional responsibility. While the alleged criminal conduct of external hackers remains the immediate subject matter of the litigation, modern data protection law increasingly expects organisations handling sensitive personal information to implement reasonable technical and organisational safeguards against unauthorised access. The Information Technology Act, 2000 particularly Section 43A and the DPDP Act together reflect an evolving legislative expectation that entities entrusted with personal data maintain adequate cyber security standards proportionate to the sensitivity of the information they process. Although no findings have presently been recorded concerning the Trust’s cyber security measures, the litigation serves as a reminder that prevention remains the most effective form of data protection.
From an international perspective, the case aligns with a growing global recognition that children’s digital rights deserve heightened legal protection. Jurisdictions governed by the General Data Protection Regulation (GDPR), the United Kingdom’s Age Appropriate Design Code and comparable privacy frameworks increasingly impose stricter obligations where children’s information is concerned. Indian jurisprudence appears to be moving in a similar direction by treating unlawful disclosure of minors’ personal data as a matter warranting immediate judicial intervention.
Ultimately, the Bombay High Court’s order signifies more than the grant of an interim injunction. It reflects the judiciary’s acknowledgement that in the digital age, protection of children’s personal data is inseparable from the constitutional guarantees of dignity, privacy and security. By acting swiftly to restrain the threatened disclosure of highly sensitive information, the Court has reaffirmed that cyber extortion involving minors demands the highest degree of judicial vigilance. As India continues to strengthen its data protection framework through statutory reform and constitutional interpretation, the decision stands as an important precedent emphasising that children’s digital identities deserve the same robust protection as their physical safety, and that courts will not hesitate to exercise equitable jurisdiction where irreparable harm to vulnerable individuals is imminent.

