HC reprieve for Generali Central Insurance after major cyberattack

MUMBAI: The Bombay High Court on Thursday granted urgent ad-interim relief to Generali Central Insurance Company Ltd after it lost nearly 386.8 GB of confidential customer and company data to a cyber attack from the Medusa ransomware group, a highly active malware that pressures firms into paying ransom by threatening to publicly release sensitive data and ruin their reputations.

The vacation bench of justice Farhan P Dubash directed the department of telecommunications and the ministry of electronics and information technology to take immediate steps to block, remove, and disable any online content, domain names, or communication channels found sharing Generali Central Insurance Company Ltd’s stolen data.

A single judge bench of the high court had, on October 16, granted similar ad-interim relief to Generali Central Life Insurance Ltd, a sister firm of Generali Central Insurance Company Ltd.

According to Generali Central Insurance’s plea, the breach occurred on September 23, 2025, when hackers infiltrated its central server and exfiltrated data belonging to both Generali Central Insurance and Generali Central Life Insurance. The incident came to light five days later, on September 28, when threat intelligence account FalconFeeds.io posted about the attack on social media platform X, identifying it as a “Medusa ransomware” incident.

The post contained a screenshot from the “Medusa Blog,” a site from the dark web where the stolen data had allegedly been listed for sale. A countdown timer on the blog offered the company three options: extend the timer for $10,000, delete all data for $500,000, or download the entire dataset for the same amount.

Generali Central Insurance told the vacation bench of justice Farhan P Dubash that the stolen information included sensitive customer details such as names, addresses, PAN and bank account numbers, and KYC documents, all of which were stored under strict security protocols. The company had filed a police complaint (FIR number 0238/2025) regarding the data breach with the Mumbai cyber police and notified both the Insurance Regulatory and Development Authority of India (IRDAI) and the Indian Computer Emergency Response Team (CERT-In).

Justice Dubash observed that a “strong prima facie case” was made out for immediate intervention.

“If the confidential data is made public or traded, it would result in catastrophic consequences,” he noted, adding that the risk of irretrievable harm to both the company and its customers warranted urgent relief.

The court restrained the unknown hackers, referred to as “John Doe”, from using, publishing, or sharing the stolen data in any form or on any platform. It also asked the authorities to act with urgency and file a compliance affidavit.

Counsel for the union government, YR Mishra, told the court that the government would extend its “fullest cooperation” to the insurer in mitigating the impact of the cyber incident.

The matter will now be heard again on November 26, with the union government directed to file its response by November 24.