HDFC AMC Data Breach: Fund House Alerts Mutual Fund Investors on SIM Swaps and Password Resets

On the evening of June 12, several mutual fund investors received an email from HDFC Asset Management Company urging them to reset their current account password the next time they login to the company’s platform.

The AMC mentioned that the email had been sent to make investors aware of a recent cybersecurity incident. The fund house clarified that the value of holdings, mutual fund units and investments remain unaffected by the incident. However, they maintained that the incident relates to investor’s data and they should take steps to safeguard the same.

“Your investments, units, and the value of your holdings have not been affected. This incident relates to data, not to your money or your portfolio,” HDFC AMC mentioned in the email.

HDFC AMC Data Breach

The fundhouse said that it has identified unauthorised activity which has affected parts of its IT systems and has promptly activated its security response and has also engaged experts to deal  with the matter.

“Recently, we identified unauthorised activity affecting parts of our IT systems. We promptly activated our security response, isolated the affected systems, and engaged cyber security experts to investigate. The individuals behind the incident have claimed to have accessed certain data”

Earlier on May 16, the company informed investors in an exchange filing that the company had received a message from an anonymous source which claimed that parts of its IT infrastructure had been accessed. Following which the company activated its containment and incident response.

The fund house added that it has reported the matter to the Securities Exchange Board of India, CERT-In, NSE and BSE. The company further added that it has also obtained an order from the Bombay High Court to prevent the misuse of the data.

“We have reported the matter to the relevant authorities, including SEBI, CERT-In, the NSE and the BSE. We have also obtained an order from the Hon'ble Bombay High Court restraining anyone from publishing, circulating, or misusing the affected data”

As a part of Sebi’s Cybersecurity and Cyber Resilience Framework for AMCs, fund houses have to mandatorily notify the market watchdog in case they detect a critical incident. 

What Should Investors Do

In order to prevent the misuse of their sensitive information, investors need to protect themselves by changing their password as per the AMC’s instructions. The AMC has strongly recommended that investors must reset their password and use one which they are not using anywhere else.

The fundhouse also cautioned investors against any unexpected requests and urged them not to comply. The AMC added that it never asks investors for their password, OTP, PIN, or full bank details via email, SMS, or phone calls. The AMC also urged investors to be wary of requests which urge them toi act urgently and requested them not to click any unknown links or attachments from unknown senders.

“Reset your account password the next time you log in to our platforms, and choose a strong password you don't use elsewhere. We will never ask you for your password, OTP, PIN, or full bank details through email, SMS, or phone; please don’t share them with anyone. Please continue to be cautious of unexpected requests, particularly anyone asking you to act urgently. Don’t click any unknown links or attachments from unknown senders,” HDFC AMC said.

Alerting users against the possible symptoms of a SIM-swap the company urged users to monitor their mobile phones closely for sudden loss of signal or inability to receive calls and messages. Typically this happens when fraudsters transfer your number to a new SIM to gain access to your OTPs.

"If your mobile unexpectedly loses network or stops receiving calls and SMS, please contact your telecom operator, as this can sometimes indicate a SIM-swap attempt," HDFC AMC said.

Lastly the fundhouse instructed investors to review their accounts and report any unusual activities to the company on their email id hello@hdfcfund.com or on their number 1800 3010 6767 / 1800 4197 676.

Why Your Mutual Fund Units Remain Unaffected

The data breach is likely to not affect mutual fund units as the units you invest in are stored electronically with depositories like Central Depository Services Limited (CDSL) or National Securities Depository Limited (NSDL) which have their own dedicated server separate from fund houses.

Thus a breach of one AMC's IT infrastructure cannot enable fraudsters to gain access to your mutual fund units. Additionally they cannot undertake the redemption of units without your registered mobile number, email OTP, or MPIN

Rising Cybercrime In India

According to a report by the State Bank of India, cybercrime in India is rising despite a decline in overall crime, potentially crossing 1 lakh cases. According to Ministry of Home Affairs data, Indians reported 2.81 million cybercrime cases in 2025 increasing from 1.9 million in 2024 and just 2,62,846 in 2021.

According to non-profit civil society organization and think tank, Cyberpeace financial losses on account of cybercrime hit Rs 22,495 crore in 2025 indicating a 41-fold increase between 2021 and 2024. I4C projects total annual losses could soon exceed Rs 1.2 lakh crore, representing roughly 0.7 per cent of India's GDP.

Thus the HDFC AMC data-breach indicates that cybercrime is on the rise, while institutions are taking several steps to curb crime, individuals should also remain alert and aware in order to protect themselves.