A company working in 'security-sensitive and highly classified projects of national significance' has succeeded in having its identity withheld from a summary judgment against the unknown perpetrators of a $6.8m 'ransomware' attack. In XXX v Persons Unknown, Mr Justice Cavanagh agreed that a derogation from open justice was needed to prevent the court itself becoming 'the instrument of harm'.

National firm Weightmans, which acted for the company identified as XXX, said the verdict shows the value of 'persons unknown' injunctions in managing the fallout from cyberattacks. Previous injunctions have required the victims - including law firms - to be named in open court. 

In XXX, the court heard that in March this year, a 'multi-discipline company'... whose clients 'require the utmost discretion, secrecy and protection from external threats', received a demand for $6.8m in return for the unlocking of files in its computers and the non-disclosure of information downloaded from them. Some of the data was protected by the Official Secrets Act. The business obtained a without-notice interim injunction which was served by email on the hackers who indicated 'in defiant terms' that it had been received. No further communication has been received from them. 

Ruling on an application for summary judgment Cavanagh observed that 'Perhaps unsurprisingly, the defendants have not engaged with the proceedings at all'.

The judgment, which followed a private hearing, notes that derogations from open justice can be justified as necessary on two grounds: maintenance of the administration of justice and harm to other legitimate interests. The judge found that the mere fact that a business would suffer negative consequences if it became public knowledge that its systems had been hacked would not automatically justify secrecy. However in this case, anonymity was justified by the nature of its work and the risk that, if its identity was known, 'third parties with malign intent' might locate the stolen information on the so-called 'Dark Web'. 

Identification of the claimant would thus 'make the court the instrument of the harm that the defendants seek to impose'. 

Edward Lewis, partner at Weightmans, said the ruling raises a new point of case law, and grounds upon which future claimants may be able to preserve their own anonymity.

'There’s significant debate around the value of an injunction in cases of cyberattacks. There’s always the risk that, by virtue of seeking the injunction in open court, businesses draw attention to the fact their IT systems have been breached or that data has been stolen, and give others an indicator of where the data can be found,' he said. 'However, this case demonstrates that, under certain circumstances and with the right approach, a permanent injunction can be secured in which it is appropriate to limit third-party awareness of the stolen material by withholding the victim’s identity.'

Lewis also noted that, as a summary judgment rather than a judgment in default, it would have additional weight should it ever need to be enforced in an overseas court.

 

Kajetan Wandowicz, instructed by Weightmans LLP, appeared for XXX. The defendants did not appear and were not represented.