Mumbai: The Bombay High Court has granted ad-interim relief to HDFC Asset Management Company Ltd (HDFC AMC) in a suit filed against unidentified cyber attackers allegedly behind a ransomware attack and theft of confidential company data.
Vacation bench of Justice Shreeram Shirsat passed a John Doe order on Friday after hearing HDFC AMC’s urgent plea seeking protection against the misuse, publication and circulation of data allegedly stolen by a ransomware group known as “Morpheus”.
According to the company, the cyber incident came to light on May 16, 2026, when its IT administrator found that parts of its on-premises VMware infrastructure had become inaccessible. The disruption affected several critical systems, including VPN, SFTP and antivirus management servers.
During its investigation, HDFC AMC discovered an email purportedly sent by Morpheus, claiming responsibility for the attack and alleging that more than 680 GB of sensitive data had been exfiltrated. The attackers allegedly threatened to publish the information unless the company contacted them within three days.
HDFC AMC informed the court that it manages investments for millions of investors across India and stores highly sensitive personal and financial information. The allegedly stolen data includes names, addresses, PAN details, bank account information, investment records, mobile numbers, email addresses and other confidential customer data. The company also said that its systems contain proprietary business information and employee records.
The court was told that HDFC AMC immediately activated its cyber incident response protocols, isolated and shut down affected servers, and reported the breach to regulatory and government authorities, including the Securities and Exchange Board of India (SEBI), CERT-In, the National Stock Exchange and the Bombay Stock Exchange.
Expressing concern over the consequences of any potential disclosure, Justice Shirsat noted that the attackers had threatened to release the data online. The court observed that such a leak could expose investors and other stakeholders to “identity theft, financial fraud, phishing attacks, SIM swapping schemes and unauthorized financial transactions”.
Holding that the company had made out a prima facie case for urgent protection, the court said, “If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences.” The court further observed that any such disclosure could cause “irreparable and irreversible damage” to the company as well as persons associated with it.
The High Court restrained unidentified persons from using, publishing, sharing or disseminating the stolen data. It also directed government authorities to remove, block and disable related online accounts, content, domain names, phone numbers and email addresses upon being notified by the company.
The matter has been posted for further hearing on June 16.
To get details on exclusive and budget-friendly property deals in Mumbai & surrounding regions, do visit: https://budgetproperties.in/
