Court Orders Immediate Action Against Cyber Threat; Confidential Data to be Safeguarded
In a significant ruling on 29th May 2026, the Bombay High Court has granted an ad-interim injunction in favor of HDFC Asset Management Company Limited, amidst a severe ransomware attack threatening the confidentiality of critical data. The interim relief was granted by Justice Shreeram V. Shirsat, following an urgent application filed by the company to prevent the dissemination of sensitive data allegedly stolen by a ransomware group identified as "Morpheus."
The court acknowledged the urgency and gravity of the situation, noting the potential irreparable harm to the applicant and its stakeholders should the confidential data be leaked. The data in question includes sensitive personal and financial information of millions of investors, as well as proprietary analyses and investment ideologies developed by HDFC Asset Management Company.
The plaintiff, represented by Mr. Aviral Sahai and his legal team from Cyril Amarchand Mangaldas, reported a security breach on 16th May 2026, when their IT infrastructure was compromised. An alarming email from the ransomware group demanded contact within three days to prevent the data's leakage. HDFC Asset Management Company acted promptly, reporting the incident to SEBI, CERT-In, and other relevant authorities while implementing protocols to mitigate the damage.
Justice Shirsat, in his order, emphasized the balance of convenience favoring the applicant, given the potential for "dreadful consequences" if the data were misused or leaked. The interim relief directs Defendant No. 3, identified as the ransomware group, to cease any use or distribution of the stolen data. Additionally, the court instructed Defendant Nos. 1 and 2, including internet service providers, to take immediate steps to remove, delete, block, and disable any online content or accounts related to the stolen data.
The matter is set for further hearing on 16th June 2026, with notices issued to the respondents. Until then, the interim order will remain in effect, ensuring the continued protection of the confidential information at stake.
Bottom Line:
Temporary injunction can be granted to protect confidential data from being leaked or misused when there is a prima facie case of a ransomware attack and the balance of convenience lies in favor of the applicant.
Statutory provision(s): Civil Procedure Code, 1908 - Order XXXIX Rules 1 and 2, Information Technology Act, 2000
HDFC Asset Management Company Limited v. Union of India, (Bombay) : Law Finder Doc id # 2911573
