In XXX v Persons Unknown1, the English High Court considered granting an injunction against an unknown defendant who had committed ransomware attacks, holding that:
- The claimant would be granted summary judgment in respect of a permanent injunction in a breach of confidence claim, following an interim injunction which was granted shortly after the ransomware attack occurred; and
- The claimant’s anonymity would be maintained, but the summary judgment application would be heard in public for the purposes of open justice.
The claimant was a commercial entity with substantial international business. On or around 24 March 2022, the claimant fell victim to a ransomware attack. The claimant received a ransom note from cyber attackers who had downloaded the claimant’s databases, FTP server, and file server. The attackers also encrypted files from the claimant’s computers, making them inaccessible to the claimant.
On 26 March 2022, the attackers demanded a ransom of USD $6.8 million in exchange for the decryption and non-disclosure of the downloaded information. On 28 March 2022, the attackers provided evidence that they did indeed hold the files they claimed. On 29 March 2022, the claimant received an ultimatum indicating that the attackers would begin to post the claimant’s information on their platform if the ransom was not point.
The claimant therefore made an application without notice and was granted an injunction prohibiting the attackers from using or disclosing the data stolen during the attack. The order contained confidentiality provisions and permission for alternative service on the two email addresses provided by the attackers in their ransom demand.
Extension of injunction with modified terms
On 12 April 2022, the continuation of the injunction was sought, with certain modifications. These modifications included:
- The requirement that the defendants identify themselves to the claimant and the court;
- No copies of the skeleton arguments or other filings to be provided to any person without further order of the court;
- Retrospective permission for redactions in evidence;
- A requirement for the disclosure of information within 24 hours of the other being served;
- The requirement that material can be shown only to parties who already have the claimant's information in their possession. If any other party wished to see the materials upon which the applications were made, that party could apply to the court; and
- Provisions requiring the claimant to take steps to prosecute the proceedings.
Mr Justice Chamberlain held:
- It was necessary to continue the application in private to “avoid undermining the object of the application”. If it had been held in public, it would have “disclosed matters which would further the object of the apparently criminal cyberattack.”
- The claimant should and would continue to be anonymized in these proceeding. The claimant had been blackmailed, and the “object and purpose … of the cyberattack would be furthered” if the claimant was not anonymised.
- The test for the grant of interim relief as set out in American Cyanamid was “amply” satisfied – especially given the lack of response from the defendants. Further, there was a “serious arguable case” and an “overwhelming case for injunctive relief.”
- All the modifications to the order requested by the claimant were justified and to be applied.
Application for permanent injunction and summary judgment
On 25 October 2022, the claimant sought summary judgment in relation to its claim for a permanent injunction. At this hearing, Mr Justice Cavanagh held:
- The identity of the claimant would continue to be anonymised on the same terms as before. Anonymity was justified given the nature of the work that the claimant was involved in and the risk of third parties with “malign intent” contacting the defendants or seeking out the stolen information on the dark web.
- The summary judgment application would take place in public, but the claimant’s evidence would be heard and reviewed in private. To hold the hearing entirely in private would present an unnecessary restriction on the principle of “open justice”. The interests of the claimant were found to be sufficiently protected by the continuation of the anonymity order, and it was possible for the claimants to make submissions without referring to anything that would give a clue to the claimant’s identity.
- Summary judgment would be granted under the terms sought by the claimant, given that the blackmail surrounding the ransomware incident gave rise to a breach of confidence claim. The material in question “has the necessary quality of confidence about it” and “falls into one of the following categories: security sensitive information, commercially sensitive information or personal information”. It was also clear that this information had been unlawfully obtained by “computer hacking.”
- The relief granted would take the form of a final injunction, with the issue of costs and damages adjourned. This was due to the fact the time and expenses associated with quantification were considerable in circumstances where the defendants “remain unknown [and] are highly unlikely to pay damages awarded against them.”
- There are two grounds under which the principle of open justice may be departed from for the purposes of upholding anonymity orders or conducting proceedings in private. The first is the maintenance of the administration of justice, and the second is harm to other legitimate interests. In this case, the court conceded that public interest was outweighed by the potential harm that may have flowed from the disclosure of the claimant’s identity.
- Not every data hacking or cyberattack will justify anonymity. The mere fact that a business would be “likely to suffer negative commercial and reputational consequences if it becomes public knowledge that their computer systems have been broken into and have been the subject of a ransomware attack” is not automatically a sufficient reason to make orders that have the effect of keeping secret the name of a claimant. However, the influence or existence of blackmail appears to be a substantial factor in finding in favour of an anonymity order.
- On the facts of this case, the claimant could have obtained judgment in default as the defendants had not acknowledged service or filed a defence, but the claimant instead sought summary judgment on the merits as a means “to assist the claimant in having the judgment recognised and enforced in foreign jurisdictions.” This route presents a route for parties to ensure judgments obtained in default or on a summary basis will be recognised by foreign jurisdictions, meaning greater enforceability.
The judgment highlights circumstances in which claimant anonymity could and should be upheld in proceedings following a cyberattack incident. It also demonstrates the willingness of courts to grant injunctions (interim and permanent) even in instances where the defendant is unknown and uncooperative.