HDFC AMC told investors to reset passwords and watch for SIM-swap attempts after a data breach. Units are safe, identity data may be exposed. Here is what to do.
Alpha Score of 29 reflects poor overall profile with weak momentum, poor quality, moderate sentiment. Based on 3 of 4 signals – score is capped at 90 until remaining data ingests.
HDFC Asset Management Company told investors to reset passwords and watch for SIM-swap attempts after a cybersecurity breach hit parts of its IT systems. The fund house, India's second-largest by assets under management at roughly ₹7.6 lakh crore, said mutual fund units and portfolio values were not affected. Investor identity and financial data may have been exposed.
The incident started on 16 May 2026, when an anonymous source claimed access to portions of HDFC AMC's IT infrastructure. The company activated containment protocols and hired a specialist firm to assess the damage. On 12 June, it wrote directly to investors.
"Recently, we identified unauthorised activity affecting parts of our IT systems. We promptly activated our security response, isolated the affected systems, and engaged cyber security experts to investigate. The individuals behind the incident have claimed to have accessed certain data," the company said in its letter.
HDFC AMC reported the breach to SEBI, CERT-In, the NSE and the BSE. It also obtained an order from the Bombay High Court restraining anyone from publishing, circulating, or misusing the affected data. Under SEBI's Cybersecurity and Cyber Resilience Framework for AMCs, introduced in June 2023, fund houses must notify SEBI within six hours of detecting a critical incident. That clock starts at detection, not at public disclosure.
Why your units are safe, your data is not
The company has been explicit: "Your investments, units, and the value of your holdings have not been affected. This incident relates to data, not to your money or your portfolio."
That assurance rests on how India's mutual fund system is built. Units are not stored inside an AMC's own IT environment. They sit at depositories – CDSL or NSDL – both regulated by SEBI. The Register and Transfer Agent, CAMS or KFintech in HDFC AMC's case, maintains the unit registry independently. Three separate systems, three separate organisations, separate infrastructure.
A breach of the AMC's IT systems does not, by itself, enable unit transfer or redemption. Any redemption requires authentication through a registered mobile number, email OTP, or MPIN – all of which operate independently of the AMC's internal systems.
What the breach does implicate is investor identity and financial data. A standard HDFC AMC folio record contains a combination of PAN, bank account details, address, investment history, SIP amounts, and nominee information. That combination is enough to facilitate SIM-swap fraud, targeted phishing, or account-takeover attempts. The risk is real, even if it is distinct from any direct loss of investment value.
Three steps to take now
Start with your password. HDFC AMC advises resetting your account credentials the next time you log in, using a strong password you do not use on any other platform.
Be sceptical of anything that arrives unexpectedly. The company is unambiguous: "We will never ask you for your password, OTP, PIN, or full bank details through email, SMS, or phone; please don't share them with anyone. Please continue to be cautious of unexpected requests, particularly anyone asking you to act urgently. Don't click any unknown links or attachments from unknown senders."
Watch your phone closely. A sudden loss of mobile signal or an inability to receive calls and SMS can be an early warning of a SIM-swap attack, where a fraudster transfers your number to a new SIM to intercept OTPs. "If your mobile unexpectedly loses network or stops receiving calls and SMS, please contact your telecom operator, as this can sometimes indicate a SIM-swap attempt," HDFC AMC warns.
Review your account periodically and flag anything unfamiliar. For queries, the company's support team is reachable at hello@hdfcfund.com or on 1800 3010 6767 / 1800 4197 676, from 9 a.m. to 6 p.m. Monday to Friday and 9 a.m. to 1 p.m. on Saturdays.
The broader picture
The HDFC AMC incident arrives as financial cybercrime across India accelerates sharply. According to official data cited in a Reuters report, high-value cyber fraud cases surged more than fourfold in fiscal 2024, generating losses of roughly $20 million. Incidents involving amounts of ₹1 lakh or more climbed to 29,082 from 6,699 in the preceding year.
A recent FICCI-EY Risk Survey found that cyber-attacks and data breaches now rank among the primary risks facing Indian companies, with a majority of senior executives identifying them as a material threat to both financial performance and corporate reputation.
SEBI's June 2023 framework places substantial obligations on AMCs above a threshold AUM level. These include a designated Chief Information Security Officer, mandatory annual audits by CERT-In empanelled auditors, a Security Operations Centre or equivalent monitoring capability, and business continuity and disaster recovery plans tested at least once annually.
HDFC AMC's systems have been secured and its investigation is ongoing, the company said.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.