Landmark legal case highlights value of injunctions in cyber attack cases

A cybersecurity expert at national law firm Weightmans is calling for businesses and insurers to reconsider the value of ‘persons unknown’ injunctions in managing the fallout from cyberattacks, after successfully securing an injunction that preserved the claimant’s anonymity and established a new point of case law.

In ‘XXX vs Persons Unknown’, the claimant was subject to a ransomware cyberattack that saw the theft of highly classified, security-sensitive information, much of which was protected by the Official Secrets Act. The stolen data was subsequently uploaded by the attacker to the Dark Web.

The legal team — led by Weightmans partner Edward Lewis, with supporting testimony from Weightmans partner Anthony Rance — successfully secured a permanent injunction in a summary judgment, restraining the defendants from using or distributing the claimant’s confidential information.

Critically, the court also permitted the case to be heard in private, and for the identity of the claimant — a company providing technology-led solutions for security-sensitive and classified projects of national importance — to be withheld.

The judge — Justice Cavanagh — justified this decision on the grounds that there would be a real danger of malicious parties, including hostile nation states and terrorist organisations, seeking and exploiting the claimant’s data if the claimant’s name was exposed.

This rationale introduces a new point of case law, and grounds upon which future claimants may be able to preserve their own anonymity.

Commenting on the case, Edward Lewis, partner at Weightmans, said: “There’s significant debate around the value of an injunction in cases of cyberattacks. There’s always the risk that, by virtue of seeking the injunction in open court, businesses draw attention to the fact their IT systems have been breached or that data has been stolen, and give others an indicator of where the data can be found.  

“However, this case demonstrates that, under certain circumstances and with the right approach, a permanent injunction can be secured in which it is appropriate to limit third-party awareness of the stolen material by withholding the victim’s identity.

“Injunctions are never an option that should be pursued lightly. The courts — rightly — set a high bar to reach. They are also concerned to uphold the principle of open justice, in respect of which there are very few derogations which justify anonymity. But this case establishes a new derogation and highlights why it is so important that injunctions remain an option in the arsenals of organisations falling victim to bad actors and insurers offering cyber cover — particularly where they are handling information that could be misused to cause significant disruption or harm in the wrong hands.

“It was also significant in this case that we were able to secure a summary judgment, rather than a judgment in default, meaning the case was decided on merit, rather than because the defendant had failed to engage with proceedings or enter a defence. As cybercrime is often executed across borders, a summary judgment gives the ruling additional weight should it ever need to be enforced in an overseas court.”