The Bombay High Court has stepped in to prevent a catastrophic data leak, granting a temporary injunction against an unidentified ransomware group calling itself “Morpheus.” The group allegedly exfiltrated more than 680 GB of critical, confidential data from HDFC Asset Management Company (AMC). In an order passed on May 29, a vacation bench of Justice Shreeram Shirsat warned of “dreadful consequences” if the stolen information—which impacts millions of Indian investors—is leaked or traded, noting it could cause “irreparable and irreversible damage” to the firm.
A Race Against Time to Protect Investor Data
The cyberattack first came to light on May 16, when HDFC AMC’s IT administrator noticed anomalies within the company’s digital infrastructure. Later that day, the firm discovered an extortion email from “Morpheus” claiming they had successfully breached the network and siphoned off over 680 GB of highly sensitive data.
As a primary custodian of public investments across India, HDFC AMC manages the assets of millions of mutual fund unit holders. The compromised data repository contains:
- Full names and residential addresses
- Official identity documents and PAN card details
- Private bank account numbers
- Highly confidential individual investment records
Upon discovering the breach, HDFC AMC immediately activated emergency protocols to contain the damage and formally reported the cybersecurity incident to the Securities and Exchange Board of India (SEBI).
Government Directed to Scrub Stolen Data
Faced with a persistent threat that the hackers would publish the data, HDFC AMC filed a suit seeking urgent judicial intervention. The court agreed that the plaintiff made out a strong prima facie case for immediate interim relief, given the imminent risk of financial fraud and identity theft facing millions of everyday investors.
Beyond restraining the “Morpheus” group from using, distributing, or disclosing the stolen information, Justice Shirsat issued a sweeping directive to the Union Government of India. The court ordered the Department of Telecommunications (DoT) and the Ministry of Electronics and Information Technology (MeitY) to take all necessary steps to remove, delete, block, and disable any digital accounts or platforms associated with the stolen data.
The Bombay High Court has scheduled the matter for a follow-up hearing on June 16 to assess containment progress and further legal steps.
