It is sometimes taken for granted in a data breach response that there is no utility in suing threat actors who are unknown and often located overseas in jurisdictions not amenable to cross-border litigation. However, the recent decision of the Supreme Court of New South Wales in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 demonstrates that there can be grounds to sue unknown threat actors – and sometimes it may be necessary for a party to take injunctive steps to protect its claims of confidentiality.
The facts of the HWLE data breach are well-known. In April 2023, a group named AlphV or Blackcat accessed HWLE’s servers and exfiltrated 3.6 terabytes of data comprising 2.4 million files. The data included client files belonging to 65 government agencies and departments (including Home Affairs and Defence), major banks, insurers and numerous ASX-listed companies. The threat actors then attempted to ransom HWLE and on 9 June 2023 published some of the stolen data on the dark web.
On 12 June 2023, the Court granted interlocutory relief against the threat actors as a class of “those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems.” The orders were served by HWLE by email to the address from which the firm had received the ransom. HWLE received a three word expletive response.
The Court subsequently made orders for substituted service of a statement of claim. The threat actors did not appear and HWLE made an application for default judgment, which was set down for hearing on 26 November 2023.
The Court considered the following issues in determining whether to grant the final relief sought by HWLE:
From one point of view, the judgments represents a Pyrrhic victory for HWLE. The firm has no realistic ability to enforce the judgment against the threat actors or online publishers overseas. The prospects of recovering the costs of the Supreme Court litigation against the defendants must be close to zero.
However, the judgment also represents the important fact of HWLE having taken reasonable steps to protect confidential information belonging to its partners and clients that was stolen in the data breach. As the decision of the High Court in Glencore International AG v Commissioner of Taxation [2019] HCA 26 demonstrates, seeking an injunction to protect stolen confidential information is often a necessary step if the party wishes to maintain its claim for confidentiality. A failure to seek an injunction might (in certain circumstances) become evidence of waiver of that claim.
The judgment also noted that the effect of the orders may be to dissuade potential publishers and online platforms from further disseminating the stolen data. This was no doubt a strategic consideration motivating the plaintiffs in seeking the injunctions.
Our privacy and data protection team are at a forefront of data breach litigation. Please reach out to discuss any aspect of this area further with our team who would be happy to assist.