Bombay High Court Blocks Ransomware Group Morpheus From Leaking HDFC AMC Data

The Bombay High Court has granted a temporary injunction restraining an unidentified ransomware group calling itself Morpheus from publishing, selling or otherwise exploiting confidential data allegedly stolen from HDFC Asset Management Company. As per media reports, the group claims to have exfiltrated more than 680 GB of sensitive information from the fund house's network. The order is a significant example of Indian courts using civil injunctions against anonymous cybercriminals.

How the Attack Came to Light

According to reports of the proceedings, HDFC AMC's IT team noticed anomalies in the company's digital infrastructure on May 16, 2026. The same day, the company reportedly received an extortion email from the Morpheus group claiming that it had breached the network and copied a large volume of data. The allegedly stolen information is reported to include investor names, addresses, PAN details, bank account information, investment records, mobile numbers and email addresses.

Faced with the threat of public disclosure, the asset manager moved the Bombay High Court seeking urgent interim relief against the unknown attackers.

What the Court Ordered

A vacation bench of Justice Shreeram Shirsat passed the interim order on May 29, 2026, restraining the group and all persons acting on its behalf from leaking, publishing or trading the data. The Court observed that disclosure of information affecting millions of Indian investors could cause irreparable and irreversible damage, and warned of dreadful consequences if the stolen information were leaked or traded.

Importantly, the Court did not stop at the attackers. It directed the Department of Telecommunications and the Ministry of Electronics and Information Technology to take all necessary steps to remove, delete, block and disable digital accounts and platforms associated with the stolen data. The matter has been listed for further hearing on June 16, 2026, when the Court is expected to review containment progress.

The Legal Significance of John Doe Orders in Cybercrime

Orders of this kind, often called John Doe or Ashok Kumar orders in India, are injunctions against unknown defendants. They have historically been used against film piracy, but courts have increasingly extended them to data theft and extortion. While a hacker group operating from unknown jurisdictions may never appear before the court, the order creates a binding legal basis for intermediaries, hosting providers, telecom operators and government agencies to take down leak sites, block accounts and disable channels used to distribute stolen data.

The direction to MeitY and DoT illustrates this enforcement model. Even where the primary wrongdoer is anonymous, the injunction can be enforced against every intermediary through which the data might surface.

What This Means for Companies Holding Personal Data

The case underlines the legal exposure that follows a major data breach. Companies that suffer ransomware attacks must consider immediate steps on several fronts: reporting obligations to CERT-In under its cyber incident reporting directions, regulatory notifications applicable to financial sector entities, and civil remedies such as injunctions to limit the spread of stolen data. With the Digital Personal Data Protection Act, 2023 regime taking shape, organisations handling large volumes of personal data face rising expectations on breach response, and an early court-ordered containment strategy can materially reduce the harm to affected individuals.

The episode also illustrates a strategic choice that breach victims must make quickly. Paying a ransom offers no guarantee that stolen data will be destroyed and may raise its own legal concerns, while approaching a court openly acknowledges the breach but creates enforceable machinery to suppress dissemination. Indian companies have increasingly chosen the latter route, and the relief granted here shows courts are receptive when the threatened harm extends to the public at large.

What Affected Investors Should Do

Investors in schemes of the fund house do not need to take any drastic step at this stage, and reports do not indicate any compromise of investment holdings themselves. The practical risk after any breach of personal data is targeted phishing. Investors should be sceptical of calls, emails or messages that cite their personal details to appear legitimate, should not act on payment requests or links received over messaging platforms, and should rely only on official communication channels. Anyone who suffers an attempted fraud can report it on the national cybercrime portal at cybercrime.gov.in or by dialling the 1930 helpline.

Key Takeaways

The Bombay High Court has restrained the Morpheus ransomware group from disclosing data allegedly stolen from HDFC AMC and has directed central agencies to block associated digital platforms. Injunctions against unknown cyber attackers are now an established part of the Indian breach-response toolkit. For investors, no adverse action is required at this stage; the matter returns to court on June 16, 2026. For companies, the case is a reminder that a rapid combination of regulatory reporting and civil injunctive relief is the emerging standard of care after a serious breach.