High Court Maintains Victim’s Anonymity in Cyber Attack Case
Summary
In the recent case of XXX v Persons Unknown,[1] the High Court granted summary judgment against an unknown cyber attacker, and unusually for civil proceedings in the High Court, allowed the Claimant company to remain anonymous.
Factual Background
The anonymous Claimant provided technology services, including hosting databases containing highly-classified data, including data of national security and subject to the Official Secrets Act 1989. In March 2022 the Claimant received an email informing it that its databases, servers, and encrypted files had been downloaded by a third party and the Claimant no longer had access to them. The cyber attacker demanded USD 6.8 million to remove the ransomware and restore the Claimant’s access. The attacker also threatened to the release the data to the ‘Dark Web.’
Prior to the summary judgment, the Claimant made a without-notice application for an injunction to prevent the data being released to the Dark Web. At the hearing for such, an injunction was granted against the cyber attacker, which was then continued at a subsequent hearing.
The Claimant then brought full proceedings for breach of confidence, the remedy for which would be a permanent injunction and damages. As there was no response from the Defendant, despite alternative service having been granted to send the relevant to documents to the email address from which the ransom demand came, the Claimant made an application for summary judgment with regard to the permanent injunction.
Decision by the High Court
As the Defendant did not engage with the proceedings at all, the Court unsurprisingly granted the summary judgment permanent injunction, as the Defendant had no real prospect of defending the claim. The question of damages was also left open, and could be revisited should the Claimant ever discover the identity of the Defendant.
The more interesting decisions were with regard to the anonymity of the Claimant and whether the hearing should be in public or private.
While stressing that open justice (i.e. that justice must be seen to be done) is a crucial part of the English legal system, Cavanagh J stated that there are precedents for granting anonymity to claimants. There are two main categories of such derogations from the principle of open justice: maintenance of the administration of justice and harm to other legitimate interests.[2] The judge quoted some more detailed guidance on the first category:
‘In the first category fall cases — such as claims for breach of confidence — which, unless some derogation is made from the principles of open justice, the Court would, by its process, effectively destroy that which the claimant is seeking to protect. Depending upon the particular facts, the Court may need either to anonymise the party/parties, or (if the parties are named) withhold the private/confidential information from proceedings in open court and in any public judgment.’[3]
Cavanagh J stressed that
‘the mere fact that a business would be likely to suffer negative commercial and reputational consequences if it becomes public knowledge that their computer systems have been broken into and have been the subject of a ransomware attack is not automatically a sufficient reason to make orders that have the effect of keeping secret the name of a claimant. This applies even though the claimant business in a case such as this is the victim of blackmail.’[4]
He decided to grant the anonymity order, however. He said:
‘The particular feature that justifies the continuation of the anonymity order in the present case is the nature of the work that is carried out by the claimant and the risk that if the identity of the claimant is disclosed, this will prompt third parties with malign intent to seek to make contact with the blackmailers and/or to locate the stolen information on the ‘Dark Web’ … there is a real danger, if the claimant’s identity is made known, that malicious persons, including hostile nation states, organised criminal groups and terrorist organisations, will exploit this information by seeking the material that has been stolen in the ransomware attack … It follows that a very great deal of harm may be done if the identity of the claimant is disclosed.’[5]
However, given the order of anonymity, Cavanagh J said that the hearing of the summary judgment application could be heard at an open hearing. Any derogation from open justice must be justified by necessity and must go no further than necessary,[6] and therefore he handed down a public judgment but one from which the Claimant could not be identified.[7]
Commentary
Following from our recent article on crypto-fraud, this is another example of the Court bending over backwards to help the victims of technology-enabled crime.
Although as mentioned above, this course of action will not be available to every victim of a cyber-attack, this case will be a welcome precedent for those curators of databases containing documents of national security, who will likely be able to obtain injunctions against cyber-attackers in the future without having to have their names revealed to the Court and subsequently plastered over the media and the internet.
One of the Court’s primary intentions when deciding on whether to grant anonymity is not to become a ‘instrument of harm’[8] in cases of cyber-attacks. In the circumstances of this case, and those like it, this aim takes precedence over the principle of open justice. Watch this space to see whether the pendulum continues to swing in favour of anonymity over open justice, and to find thee exact cut-off point between these competing principles. As cyber-crimes become more common (and affect even those with very sophisticated defences), the Courts are bound to have more to say on this topic in the near future.
[1] XXX v Persons Unknown [2022] EWHC 2776 (KB)
[2] Ibid. at 23.
[3] Various Claimants v The Independent Parliamentary Standards Authority [2021] EWHC 2020 (QB) at 37.
[4] Above n.1 at 25.
[5] Above n.1 at 28.
[6] Above n.1 at 33(1).
[7] Above n.1 at 33(4).
[8] Above n.1 at 29.
