Practical assistance from the Courts in relation to ransomware attacks: XXX v Persons Unknown (2022)
Written By
Associate
UK
I am an associate and solicitor-advocate in Bird & Bird's Dispute Resolution team, advising clients on matters involving commercial litigation, international arbitration and alternative dispute resolution (ADR), with experience in a variety of sectors, including the financial services, media, entertainment & sports, technology & communications, energy & transport, pharma / life sciences and retail & consumer sectors.
Related
Practices
Sectors
Regions
Countries
Offices
The English High Court has once again demonstrated that it has a number of weapons in its procedural armoury to help corporate victims of ransomware attacks. In a recent decision (XXX v Persons Unknown [2022] EWHC 2776 (KB)), a final injunction was granted in respect of a breach of confidence claim against a group of unknown defendants who illegally obtained confidential information by way of a ransomware attack. The Court also maintained the anonymity of the claimant in granting the injunction.
We consider the facts and explore the practical outcomes of the case in this article.
Facts
In March 2022, the claimant (who remains anonymous for the purposes of this claim) received a ransom note, notifying them that they had been the victim of a cyber-attack in which cyber attackers had obtained and downloaded the claimant’s databases, server and encrypted files and had made them inaccessible to the claimant. The claimant’s business related to the provision of technology-led solutions for projects of national significance and as such the data obtained was highly classified, security-sensitive information that was protected by the Official Secrets Act 1989. The attackers demanded a ransom of USD 6.8 million in exchange for the decryption and non-disclosure of the data. The claimant made a without notice application and, on 30 March 2022, the Judge (Stacey J) granted an injunction which prohibited the attackers from using or disclosing the data that they had obtained from the cyber-attack. This injunction was continued at a subsequent hearing by another Judge (Chamberlain J) until trial or further order.
The claimant then brought proceedings for breach of confidence, claiming both a permanent injunction and damages. The claimant subsequently sought a summary judgment in respect of the permanent injunction.
Breach of confidence claims
In order to succeed with a claim for breach of confidence, the claimant must establish that (Attorney General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109) the information:
- has the necessary quality of confidence;
- that the defendant came to know of what was being said in circumstances importing an obligation of confidence; and
- that there had been unauthorised use or a threat to use that information to the detriment of the owner of the information.
Remedies available for breach of confidence include an injunction, an award of damages or account of…
