The Bombay High Court has issued a temporary injunction against a ransomware group calling itself "Morpheus," preventing it from publishing, distributing, or revealing confidential information allegedly stolen from HDFC Asset Management Company (HDFC AMC).
The interim order was passed on May 29 by a vacation bench led by Justice Shreeram Shirsat, which observed that the company had established a prima facie case warranting immediate relief.
"If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences and it can cause irreparable and irreversible damage to the plaintiff company," the court said.
In addition to restraining the ransomware group from using or disclosing the data, the court directed the Union government to take appropriate measures to remove, block, disable, and delete online accounts associated with the stolen information.
The order came in response to a suit filed by HDFC Asset Management Company Limited seeking legal protection against the unidentified hackers. The company requested the court to prohibit the cybercriminals from sharing, publishing, or otherwise exploiting the confidential data allegedly taken during the cyberattack.
HDFC AMC also sought directions against the Department of Telecommunications and the Ministry of Electronics and Information Technology, urging them to take necessary action to eliminate online access points linked to the compromised data.
According to the petition, HDFC AMC provides investment management and advisory services to millions of HDFC Mutual Fund investors and oversees assets belonging to investors across the country. As part of its operations, the company maintains sensitive customer information, including names, addresses, identity records, PAN details, bank account information, and investment-related data.
The company informed the court that on May 16, its IT administrator detected unusual activity within its technology infrastructure. Further investigation led to the discovery of an email from an entity identifying itself as "Morpheus," which claimed to have extracted more than 680 GB of critical company data.
Following the incident, HDFC AMC said it immediately activated its cybersecurity response protocols to contain the breach and notified the Securities and Exchange Board of India (SEBI) about the incident.
The company argued that there remains a significant risk of the stolen information being leaked, which could expose millions of investors to identity theft, financial fraud, and other forms of cybercrime. It further contended that any public release of the data could severely impact its reputation and operations.
The matter is scheduled for further hearing before the Bombay High Court on June 16.
