Privacy & Information Security Law Blog

On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant's identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach. 

Background

The claimant provided technology services and its databases contained information concerning various “security-sensitive and highly classified projects of national significance.” The unknown defendant sent a ransom note stating they had downloaded the claimant's databases and servers and had encrypted some of the claimant's files. The hackers demanded over U.S. six million in exchange for decryption and non-disclosure of the information via e-mail. The affected data was made up of three main categories: (1) security sensitive; (2) commercially sensitive; and (3) personal data.

Shortly after becoming aware of the cyber attack, the claimant received an ultimatum from the defendant stating it would start to disclose the data on their platform on the “Dark Web.” The claimant immediately sought a without notice injunction to prohibit the defendant from doing so, which the court granted. The claimant then commenced proceedings for breach of confidence, seeking permanent injunctions and damages, without receiving any further communications from the defendant.

Issues Before the High Court and the Decision

The key issues before the High Court and its decision were as follows:

• Anonymity: in determining whether the Court should continue to maintain the claimant’s anonymity, the Court determined it should be maintained because releasing the identity would further advance the objectives of the defendant and cause harm to the claimant’s business;
• Public vs. Private Hearing: in determining whether the hearing dealing with the application for summary judgment should be heard in a private or in public, the Court held that it should be heard in open court as the anonymity order would sufficient protect the claimant’s interests; and
• Summary Judgement Application: in determining whether the Court should grant the claimant summary judgment, it held it should be granted as the defendant had no real prospect of defending the claim.