Next in our series of articles looking at cyber issues we consider recent developments around hacking and ransomware.
Ransomware cyberattacks (typically involving use of malicious software designed to block access to electronic information pending payment of a sum of money) have surged over recent years, with some very high-profile victims. In Armstrong Watson LLP v Persons Unknown [2023] EWHC 1761, the victim of a ransomware attack took swift legal action against the unidentified threat actors leading to a judgment and final injunctions in their favour.
The Claim
The claimant, Armstrong Watson LLP, provides professional accounting, tax, financial and related services in the UK. In February and March 2023, hackers were able to obtain a quantity of the claimant’s confidential electronic documents as a result of a ransomware cyber-attack. The threat: pay a ransom or the information would be disclosed or sold, including on the dark web.
The claimant issued a claim for breach of confidence and applied for an urgent interim injunction against ‘persons unknown’. The injunction application sought an order requiring the hackers to identify themselves and to deliver up and/or delete the information (amongst other things).
A claim for breach of confidence will arise where a) information has the necessary quality of confidence, b) the information has been obtained by the defendant where there exists a duty of confidence, and c) the defendant breaches that duty of confidence by accessing, obtaining, retaining, using, publishing, communicating and/or disclosing the information (and/or intending and/or threatening to do so). Other common causes of action against threat actors include proprietary or tracing claims and claims in restitution and fraud.
The court granted the injunction on the terms sought with provision for a ‘return date’ hearing. The claimant was able to serve the papers via the website used by the unidentified defendants to communicate.
Perhaps unsurprisingly, the defendants did not respond to the injunction order and did not turn up to the return date hearing. In doing so, they were in breach of the injunction. In their absence, the court continued the injunctive relief and issued directions for the claim, including for the service of a defence by a certain date. When the defendants failed to file a defence, the claimant applied for default judgment, final injunctive relief and derogations from open justice to protect the confidentiality of the case papers consistent with the substantive relief it sought.
The Outcome
The court granted default judgment and made the interim injunction final. The defendants were restrained from using and disclosing the information, required to delete or deliver up the information, and to provide a signed witness statement confirming compliance. We expect the papers were served, again, via the website used by the hackers.
Are the hackers likely to comply with the terms of the order? It seems unlikely; first and foremost, the hackers will not want to identify themselves. Further, if the hackers are based abroad, they may be beyond the reach of the civil courts of England and Wales. However, the claim and final order i) send a clear message that the claimant would not be entering into negotiations in respect the ransom, ii) may deter the hackers from releasing the information (and any further potential hackers from targeting the claimant in the future), and iii) shows the claimant taking proactive steps to protect its confidential information (and that of its customers). Further, it is possible that the identity of the hackers may become known in the future following criminal investigations.
Learning Points
The appropriateness of legal claims against hackers, including applications for urgent injunctive relief as in the Armstrong Watson LLP claim, should always be considered on a case-by-case basis. Targets will want to weigh up a number of relevant factors, including the impact of the attack (specifically whether it is ongoing), the likely outcome of litigation and associated costs and deterrence.
Next in our series, we look at legal issues arising from generative AI.
For further information, please contact:
Kate Steele, Partner, Hill Dickinson
kate.steele@hilldickinson.com