Introduction
The High Court has granted the victim of a cyberattack a permanent injunction against cyberattackers without the victim organisation having to reveal its identity. Generally, a claimant’s identity is public in court proceedings, so the potential to remain anonymous in appropriate cyberattack cases will be invaluable to those seeking to minimise reputational fallout from a data breach.
Under English law, injunctions can be made against unknown and unidentifiable defendants enabling injunctions to be granted against individuals who are acting in breach or threatening to commit a breach, where those persons are not identified or known during the proceedings (as is nearly always the case with threat actors in a cyberattack).
Background
The claimant company provided technology services and its databases contained information concerning various ‘security-sensitive and highly classified projects of national significance’. The unknown defendant sent a ransom note outlining that they had downloaded the claimant’s databases and servers and had encrypted some of the claimant’s files making them inaccessible to the claimant. The hackers demanded over US$6 million in exchange for decryption and non-disclosure of the information via e-mail.
The stolen data fell into three categories: (a) security sensitive; (b) commercially sensitive; and (c) personally identifiable information. The majority of the data fell within categories (a) and (b) and the claimant noted that most of this information was ‘highly classified and protected by the Official Secrets Act 1989’.
A few days after becoming aware of the cyberattack, the claimant received an ultimatum from the defendant indicating that they would start to disclose the confidential information they removed during the attack on their platform on the ‘Dark Web’. The claimant immediately sought a without notice injunction to prohibit the defendant from doing so, which the court granted. The claimant then commenced proceedings for breach of confidence, seeking permanent injunctions and damages, without receiving any further communications from the defendant.
The Issues Before the High Court
The key issues Mr. Justice Cavanagh considered were whether: (1) the court should continue to maintain the claimant’s anonymity; (2) the hearing dealing with the application for summary judgment should be heard in a private or in public; and (3) the court should grant the claimant summary judgment.
The claimant provided information to the court as to the:
1. highly sensitive nature of the data removed by the defendant, some of which was protected by the Official Secrets Act 1989;
2. the highly classified nature of the business undertaken by the claimant;
3. the defendants’ operations on the ‘Dark Web’ and its previous history in attacking and blackmailing other organisations;
4. the extent to which the claimant had informed affected client organisations, staff and notified the UK’s ICO under UK GDPR requirements; and
5. the extent to which the ransomware attack had become known to third parties as a result of the defendant uploading some data to its platform on the ‘Dark Web’.
The Decision
The High Court ruled in favour of the claimant, and held that:
- Summary Judgment Application – summary judgment on the claim for breach of confidence and relief in the form of a permanent injunction should be granted. The defendant had no real prospect of defending the breach of confidence claim as they continued to misuse the stolen data and had not engaged in the proceedings.
- Anonymity Order – releasing the claimant’s identity would further advance the objectives of the defendants and cause harm to the claimant’s business, so the circumstances of the case justified the continuation of the claimant’s anonymity.
- Public vs. Private Hearing – the claimant’s interests were sufficiently protected by continuing the anonymity order and imposing certain other confidentiality provisions, so the summary judgment application would be heard in open court.
Key Takeaways
Seeking injunctive relief is an uncommon, yet recently more frequent, method for responding to cyberattacks in the UK and a practice not followed in the U.S. Generally, the deterrents are that:
1) the victim company would not want to publicise the attacker’s intrusion and that the defendant is not known, and suffer the reputational damage that would come with such disclosures; and
2) the threat actors are unlikely to comply with the injunction and serving such an injunction would likely only serve to further aggravate the perpetrators.
Though highly unusual to seek judicial relief in this type of circumstance, companies may be more inclined to take this step in the future if able to preserve anonymity when seeking an injunction.
Businesses that fall victim to this type of ransom attack are often faced with the choice of either: (1) paying the ransom; or (2) declining to pay the ransom. The second option would raise the risk that the victim company’s sensitive data would be shared publicly and disclosing that their IT systems had been compromised. This case presents a situation where the company victim chose a third option of seeking judicial relief. The decision demonstrates that courts are willing to grant a final injunction against unknown defendants and preserve the claimant’s identity in the process, especially in circumstances where disclosing the claimant’s identity would mean the courts would inadvertently cause cyberattack victims more harm.
However, businesses should tread carefully as seeking such injunctions may not improve the victim company’s situation in practice – they may win the battle but lose the war. Cyber criminals are unlikely to put any credence in a court order, much less adhere to it. Threat actors are often organised crime syndicates running the attacks themselves or providing “ransomware as a service” to other criminals. In the absence of a paid ransom, there is a risk that threat actors may refuse to provide decryption keys and post the name of the company and the data on the “wall of shame” on the ‘Dark Web’, to serve as an example to future victims who may consider refusing to pay a ransom. In addition, the injunction would likely further aggravate threat actors – already frustrated that the ransom was unpaid. In that case, the threat actor may be tempted to re-enter the system and cause additional harm. If claimants proceed to seek an injunction, they should ensure that the threat actors are out of the company’s IT environment – which is often difficult to determine within the very tight timeframes that threat actors typically provide to pay the ransom.
The court’s decision to maintain the anonymity of the victim company serves as a reminder that the courts set a high threshold to derogations from the principle of open justice, therefore, such outcomes are likely to be limited to exceptional circumstances. The fact that a cyberattack victim may suffer reputational damage would not be enough to automatically lead to an anonymity order, but the courts would likely consider such orders where the nature of the victim’s business would make release of its stolen data a safety concern. If there is further case law in this area, it likely will add additional colour to the parameters that are sufficient to satisfy “exceptional circumstances.”
Read More: news.google.com