The Bombay High Court has granted temporary injunction against a ransomware group identifying itself as “Morpheus” from distributing or disclosing confidential data exfiltrated by it from the HFDC Asset Management Company.
A vacation bench of Justice Shreeram Shirsat, in the order passed on May 29, said prima facie an arguable case was made out to grant interim relief.
“If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences and it can cause irreparable and irreversible damage to the plaintiff company,” the court said.
Apart from the injunction against the ransomware group from using, distributing or disclosing the confidential data, the court also directed the Union government to take all steps necessary to remove, delete, block and disable accounts in relation to the stolen confidential data.
The order was passed on an application and suit filed by HDFC Asset Management Company Limited seeking an injunction against the hackers from using, publishing, distributing or disclosing to any person the confidential data stolen by it.
The plea also sought a direction to the Union government through the Department of Telecommunications and the Ministry of Electronics and Information Technology to take steps to remove, delete, block and disable all those accounts in relation to the confidential data stolen by the unidentified hackers.
The petition claimed the petitioner was an asset management company providing investment management and investment advisory services to the millions of unit holders of HDFC mutual fund and manages assets of millions of investors across India.
The petitioner is entrusted with the management of public investments and was the custodian of confidential data which includes names, addresses, identity documents, PAN card details, bank account details and investment details of millions of investors.
As per the plea on May 16, the plaintiff’s IT administrator found something amiss in the IT infrastructure. Later the same day, the company discovered an email issued by an entity named “Morpheus” claiming exfiltration of over 680 GB of critical data.
The company claimed it took immediate steps and activated necessary protocols for containment of the damage and also reported the cyber security incident to the SEBI.
The company informed HC there was a persistent threat that confidential data may be leaked and such dissemination would not only expose millions of individual investors to immediate risk of identity theft, financial fraud and so on but would also affect the company.
The court posted the matter for further hearing on June 16.
Published on June 1, 2026
