Data Breach: The High-Stakes Battle Against Unknown Hackers

Data breach by unknown computer hackers, operating in a foreign jurisdiction and trying to extort your business for ransom payments for the return of confidential information, reads like a best selling novel, unfortunately not.

The recent case of HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 may be of particular interest.

The NSW Supreme Court granted an injunction against the unknown computer hackers disseminating the highly confidential information they stole from the applicants. This injunction restrained the unknown computer hackers from placing the confidential information on the internet, transmitting or publishing it, using it for any purpose, or facilitating its publication. The injunction that was granted extended to any third party who may be in possession of the confidential information.

Facts

On 26 April 2023, computers hackers claimed to have stolen valuable internal data of the applicant, highly confidential information such as financial, credit card and loan information. The computer hackers sought a ransom of $4 million dollars.

The computers hackers made attempts to isolate and persuade the applicant to pay their demand as the cost of paying a ransom would pale in comparison to the consequences of data publication.

After a period of back and forth, it was ascertained that the computer hackers had used an unauthorised IP address which could approximately be located in Sofia, Bulgaria.

Proceedings

On the application of the applicant the Court granted interlocutory relief on the 12 June 2023, these interlocutory orders were sent to the email address in which was being used to communicate with the computer hackers. The applicant received a response, safe to say their response indicated their displeasure of the injunction being granted. By the 23 June 2023 the sample cache of confidential information the computer hackers had posted online could no longer be found on the dark web forum.

On the 18 July 2023, the Court granted orders for substituted service, which allowed the applicant to serve the computers hackers via the email address and dark web forum used by the hackers. On the 15 August 2023 the computer hackers were served a Statement of Claim.

On the 18 September 2023, the computers hackers failed to attend Court and default judgment was subsequently applied for and granted 12 February 2024.

Decision

A permanent injunction was granted. Orders were made to prevent the computer hackers and any other third party in possession of the confidential information from;

  • placing material on any location accessible via the internet;
  • transmitting, publishing or disclosing the information;
  • using (including viewing) any information obtained, and
  • promoting, or publishing any links to the locations in which the information may be downloaded.

The Court noted that such injunction will be useful notification to potential publishers of the data that they should not take any steps to frustrate the effectiveness of the Court’s orders.

The extension of the injunction to third parties is an effective way to limit the unauthorised publication or sharing of any data that is personal or confidential in nature.  Should a third party publish the material the subject of the injunction on their online platform, the publication of such material may constitute a breach of the court orders.

Conclusion

Data protection is paramount, as all business take steps to protect client personal and confidential information.

Baybridge can provide critical and timely assistance should your business face a data breach. Baybridge will work with you to establish if the breach is a reportable breach to government regulatory authorities and act swiftly to seek injunction relief to stop any further dissemination of personal or confidential information.

If you require any assistance taking steps to protect a data breach, please contact us to discuss further.

Baybridge

Articles you might also like