Orders Against Unknown Persons – a development in Australian data breach litigation

It is sometimes taken for granted in a data breach response that there is no utility in suing threat actors who are unknown and often located overseas in jurisdictions not amenable to cross-border litigation. However, the recent decision of the Supreme Court of New South Wales in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 demonstrates that there can be grounds to sue unknown threat actors – and sometimes it may be necessary for a party to take injunctive steps to protect its claims of confidentiality.

The HWLE Data Breach

The facts of the HWLE data breach are well-known. In April 2023, a group named AlphV or Blackcat accessed HWLE’s servers and exfiltrated 3.6 terabytes of data comprising 2.4 million files. The data included client files belonging to 65 government agencies and departments (including Home Affairs and Defence), major banks, insurers and numerous ASX-listed companies. The threat actors then attempted to ransom HWLE and on 9 June 2023 published some of the stolen data on the dark web.

The Proceedings

On 12 June 2023, the Court granted interlocutory relief against the threat actors as a class of “those persons who carried out or participated in the unauthorised exfiltration of…