MUMBAI: The Bombay High Court has granted urgent ad-interim relief to HDFC Asset Management Company (AMC) after the company informed the court that a ransomware group identifying itself as “Morpheus” had allegedly exfiltrated more than 680 GB of sensitive and confidential data from its IT infrastructure.HC grants urgent relief to HDFC AMC over alleged 680 GB cyber theftJustice Shreeram V Shirsat, hearing the matter during the court vacation, observed that there was a “persistent threat” of the stolen data being leaked online and restrained the unidentified hackers from using, publishing or disseminating the information pending further hearing.The order was passed in an interim application filed by HDFC Asset Management Company in its commercial intellectual property suit against the Union of India and others. According to the company, the cyberattack came to light on May 16 when its IT administrator reported an inability to access the on-premises VMware environment, affecting several critical systems, including SFTP, DLP, VPN servers and antivirus management infrastructure. During the subsequent investigation, the company allegedly discovered an email from an entity calling itself “Morpheus”, claiming responsibility for the breach.The court reproduced portions of the alleged ransom email in its order. The message stated: “Hello, we are writing to inform you that your company has been compromised. Over 680 GB of critical data has been exfiltrated. To prevent this information from being leaked online, you must contact us within 3 days.” The email also allegedly contained darknet credentials and communication channels through which the attackers could be contacted.Appearing for HDFC AMC, advocate Aviral Sahai submitted that the company manages investments for millions of investors across India and acts as a custodian of highly sensitive financial and personal information. The court recorded the company’s submission that the compromised data included “names, addresses, identity documents, PAN details, bank account details, portfolio details, investment details, mobile numbers, email addresses” as well as proprietary investment analyses and employee-related information.The company argued that the information had been entrusted to it “on the highest confidential basis” and that it was under both contractual and statutory obligations to safeguard the same.HDFC AMC further informed the court that immediately after discovering the breach, it initiated containment measures, shut down affected servers, deactivated privileged credentials and conducted a business impact assessment. It also notified the Securities and Exchange Board of India (SEBI), the Indian Computer Emergency Response Team (CERT-In), the Reserve Bank of India and stock exchanges about the incident. The order notes that disclosure notices and cyber incident reports were submitted to SEBI, NSE and BSE in compliance with regulatory requirements.Recording the submissions, the court observed that the “ransomware attack carried out by Defendant No 3 in the name of ‘Morpheus’ appears to be a ransomware group which has been targeting numerous victims, and leaking stolen data on the dark web.” The court also took note of the company’s apprehension that the confidential information could be leaked “without any further notice”.Granting interim protection, justice Shirsat held that a “prima facie arguable case” had been made out for the grant of ad-interim relief. The court observed that “if the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences and it can also cause irreparable and irreversible damage to the Applicant/Plaintiff company and all others associated with the said company.”The High Court consequently restrained the alleged hackers and all persons acting through them from “using, copying, publishing, distributing, transmitting, communicating or disclosing” the confidential data or any other non-public information related to the company.The court also directed government authorities and intermediaries to “remove, delete, block and disable accounts, content, domain names and phone numbers and email addresses” linked to the stolen data within 24 hours of being informed by the company.The matter has been posted for further hearing on June 16. The ad-interim order will remain in force until the next date of hearing.