November 21, 2022
On 24 March XXX (the claimant), which was described as a multi-discipline company providing technology-led solutions for security-sensitive and highly classified projects of national significance, received a ransom note saying that cyber attackers had downloaded to their own servers the claimant’s databases, FTP server and file server, and that they had encrypted files from the claimant’s computers making them inaccessible to the claimant. The attackers provided two email addresses and demanded a ransom of US$6.8 million in exchange for decryption and non-disclosure of the downloaded information. The attackers provided proof that they did, indeed, have the files or some of the files they claimed to have hacked.
The stolen information was categorised as: (i) security sensitive; (ii) commercially sensitive; and (iii) personally identifiable. The majority fell into categories (i) and (ii) and much was highly classified and protected by the Official Secrets Act 1989.
On 29 March, the attackers sent an ultimatum indicating that they would post the information on their platform and start uploading it. At that point, the claimant obtained a without notice interim injunction to restrain the attackers from using or disclosing the data they had taken. The order was served on the attackers by email. About two hours later, an email was received from the same email address in defiant terms, proving that the attackers had received a copy of the order. At that same hearing, the claimant was granted an order for anonymity.
The claimant then issued a claim for breach of confidence, seeking permanent injunctions and damages.
In April 2022, the interim injunction was continued on expanded terms until trial or further order. The order for anonymity was also continued, as was the claimant’s application for the hearing to take place in private.
Unsurprisingly, the defendants did not engage with the proceedings, despite being aware of them.
The claimant then applied for summary judgment in relation to its claim for a permanent injunction. It did not pursue the damages claim, realising that this would be pointless.
Mr Justice Cavanagh had to decide: (i) whether the claimant should continue to be anonymised; (ii) whether the hearing should take place in private (in whole or in part); and (iii) whether summary judgment should be granted.
Cavanagh J directed that the anonymity and private hearing requests would take place in private because it was necessary in the interests of justice to do so, pursuant to CPR 39.2 (3)(a) and (3)(g). At this private hearing, he held that the identity of the claimant would continue to be anonymised on the same terms as before, but that the hearing to deal with the summary judgment application would take place in public.
In terms of the anonymity order, Cavanagh J noted that the mere fact that a business would be likely to suffer negative commercial and reputational consequences if it becomes public knowledge that their computer systems have been hacked and have been the subject of a ransomware attack is not automatically a sufficient reason to grant anonymity. There must be something that particularly justifies anonymity or any other derogation to the principle of open justice. In this case, the justification was the nature of the work undertaken by the claimant and the risk that if the claimant’s identity were disclosed, that would prompt third parties with malign intent, such as organised criminal groups, terrorist organisations or hostile nation states, to try and contact the attackers and/or locate the stolen information that was on the “Dark Web”. In other words, a “very great deal of harm” could be done if the claimant’s identity were disclosed.
As for the decision that the summary judgment application should be heard in public, Cavanagh said that the claimant’s interests were sufficiently protected by the continuation of the anonymity order, as well as the terms of the draft order, which included an order for non-publication of the confidential schedules identifying the confidential evidence provided to the court. Further, it was possible for submissions to be made without needing to refer in open court to anything that would give a clue as to the claimant’s identity.
As for the summary judgment claim, Cavanagh J had no doubt that this should be granted. He was fully satisfied on the evidence that the stolen information had the necessary quality of confidence. Given that it was obtained through computer hacking, it was obtained in circumstances importing an obligation of confidence and there was no doubt that it was being used in an unauthorised manner. Further, the information had not lost the necessary quality of confidence as, so far, very few people were aware of the nature of the leak or where to access the information. In Cavanagh J’s view, it was “hard to think of a more egregious form of breach of confidential information”.
Cavanagh J was also satisfied that the grant of a permanent injunction was not a breach of s 12 of the Human Rights Act 1998. In any event, he had no doubt that the rights of the claimant outweighed any rights enjoyed by the defendants.
Accordingly, Cavanagh J granted summary judgment in the claimant’s favour as well as a permanent injunction in the terms sought. (XXX v Persons Unknown  EWHC 2776 (KB) (25 October 2022) — to read the judgment in full, click here).