Injunctions against anonymous cyber-hackers: waste of time or worth the trouble?
Cyber-hacks have surged in recent years, with some very high-profile victims. While there are some exceptions, those responsible for these hacks usually seek to remain anonymous, meaning that their identity and location is often unknown. However, there are still legal options which can be pursued with a view to minimising the publication of hacked data or information. For example, injunctions can be obtained against hackers, even if they cannot be identified by name. And while cyber-criminals based overseas might not take much notice of such an injunction, orders can be framed to capture others who come into possession of the hacked information with knowledge of the orders. This, in turn, can at least help to prevent the further dissemination of hacked data or information in places where it is more likely to be seen by ordinary people, and not just those lurking in the dark-web with nefarious intent.
The recent ruling in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 is a case in point.
The HWLE cyber-hack: what happened?
HWL Ebsworth (HWLE) is a large Australian law firm. In April 2023, hackers claiming to be from Russian group ALPHV (also known as BlackCat) infiltrated HWLE's computer systems. The clients affected by the hack included 65 federal and state government agencies and departments (including Home Affairs and Defence), numerous ASX listed companies, insurers and major Australian banks.
The hackers were able to extract around 3.5 terabytes of HWLE's data (comprising approximately 2.5 million documents), which included sensitive client information. A ransom of around $AUD7.1 million was demanded from the hackers. In an effort to uncover the facts and reclaim its data, HWLE engaged in communication with the hackers via the dark web forum they had utilised to contact (and make demands of) HWLE. Through these exchanges, HWLE determined that the hackers likely possessed the HWLE files and data they purported to hold.
Ultimately, HWLE refused to pay the ransom to BlackCat. In response, on 9 June 2023, BlackCat published approximately one million of HWLE's documents on the dark web.
The proceedings
HWLE sought and was granted an interim injunction by the NSW Supreme Court in June 2023 (the Interim Orders). The hackers were ordered to remove the stolen data from the internet and were prohibited from sharing the stolen data for any purpose other than obtaining legal advice, until further order. As a result of the hackers' anonymity, the parties subject to the injunction were not identified by name, but were described as a class: "those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems".
HWLE sent the Interim Orders to the hackers via the same email address they had used to communicate the demands and at the forum on the dark web where BlackCat had made its threats. Here, a response from the hackers (which included the unrepeatable line "f*** you ******") was sufficient for the Court to infer that the hackers were "displeased that HWLE had taken legal proceedings rather than paying the ransom". The response also satisfied the Court that the hackers had received the Interim Orders.
In February 2024, HWLE was granted default judgment and a permanent injunction similar to the Interim Orders (when, perhaps unsurprisingly, the attackers did not appear). Those permanent orders prohibit the "persons unknown" described above from disseminating HWLE's "exfiltrated" confidential information. Importantly, however, the orders also apply to any other third party who comes into possession of the hacked information with knowledge of the orders.
In determining whether to grant the final relief sought by HWLE, the Court considered the following key issues:
- Service: Based on an IP address search by HWLE, the Court was reasonably satisfied that the defendants were located outside Australia. The Court was satisfied that appropriate steps were taken to bring the application for default judgment to the defendants' attention, and that it was served in accordance with the orders for substituted service.
- A judgment against "persons unknown": HWLE sought to define the defendants with as much precision as possible to avoid an impermissible claim of injunctive relief against the "world at large" (ie. a class that would apply indiscriminately to all individuals, without specifically identifying the defendants or the group of individuals who are allegedly responsible for the wrongful act).
- Breach of confidence: The criteria for proving a breach of confidence are well-established, requiring specific identification of confidential information, its reception under circumstances implying confidentiality, and actual or potential misuse. In this instance, the theft of confidential records coupled with attempted extortion unequivocally supported the breach of confidence claim.
So, was this all worth it?
In its decision, the Court referred to a recent decision of the English High Court where an injunction was also granted against unidentified hackers in a breach of confidence claim, demonstrating that HWLE is not the only party which has seen merit in pursuing litigation in these circumstances (XXX v Persons Unknown [2022] EHWC 2776 (KB)). However, this all raises the question: how much can actually be gained by pursuing and seeking such orders?
At least superficially, HWLE enjoyed a significant measure of success in this case by obtaining the injunction sought and an order that the defendants pay HWLE's costs. As HWLE no doubt recognises, it would face significant (and perhaps insurmountable) obstacles in seeking to enforce the judgment against the hackers themselves and recovering its costs of the litigation from them. Further, at a practical level, unless law enforcement agencies have the desire and capacity to take effective action, there is not much that can be done to stop hackers from releasing information on the dark web and selling it to others who might seek to use it for nefarious purposes. To that extent, some might suggest that there is limited utility in pursuing and seeking orders of the kind obtained by HWLE. However, this is simplistic and ignores two critical points.
First, a key aspect of the orders obtained by HWLE was that they also apply to third parties who come into possession of the hacked information with knowledge of the orders. This means that, if orders like this are made, affected parties will be able to notify legitimate third parties (such as media outlets and online platforms) who may be at risk of broadcasting the material. Those platforms will then be on notice of the orders and should be incentivised to prevent the dissemination of the hacked material via their platforms.
Second, parties invariably have obligations to safeguard the confidentiality of hacked information. Where that confidentiality is breached due to a hack, parties should generally do - and be seen to be doing - what they can to prevent or minimise the extent of harm. Even if injunctions might not impact hackers, for the reasons set out above, they can provide ancillary benefits in relation to the further dissemination of hacked information by legitimate individuals and organisations. Depending on the terms, it might also assist with recovery on relevant insurance policies and reduce the risk of securities class actions being brought.
This is certainly not to say, however, that litigation should be relied upon as a security blanket in this area. Organisations should do everything within their power to stop hacks from occurring in the first place. Once the horse has bolted, litigation can be one tool to minimise the extent of damage, but it should be only one element of a business' overall cyber risk strategy. To this end, the Australian Information Commissioner recently commenced an investigation into the personal information handling practices of HWLE arising from the hack, including in relation to the security and protection of the personal information HWLE held, and the notification of the data breach to affected individuals.
Key takeaways
- Businesses affected by a cyber-hack do not need to specifically identify the hackers in order to seek injunctive orders from the court.
- Orders can be obtained against "persons unknown" (including persons in foreign jurisdictions) where the class of persons can be sufficiently identified and limited.
- Even if enforcing court orders against hackers might be difficult or impossible, there is still utility in seeking and obtaining an injunction. This is because injunctions can apply (as the orders were framed in this case) to any person involved in the hack or anyone else who comes into possession of the hacked information that is made aware of the Court's orders. This means that an affected business can contact potential publishers of the data, making them aware of their obligations and warn them not to breach the orders.
- By notifying potential publishers of their obligations under the Court's orders, affected businesses demonstrate a proactive effort to mitigate further harm from being caused by the cyberattack. This proactive approach is particularly relevant where a business has obligations to maintain the integrity of the stolen data and use their best endeavours to prevent sensitive information from being disseminated.