Injunctive relief for company blackmailed by anonymous hacker (PML v Person(s) Unknown)

Injunctive relief for company blackmailed by anonymous hacker (PML v Person(s) Unknown)

Richard Munden, barrister at 5RB, examines a High Court decision to restrain an unknown defendant from publishing data he had stolen when he hacked into the claimant company’s computer system, and which he was threatening to disclose unless it paid him a ransom. The court also ordered the defendant to identify himself (a self-identification order).

PML v Person(s) Unknown (responsible for demanding money from the claimant on 27 February 2018) [2018] EWHC 838 (QB)

What are the practical implications of the judgment?

The case demonstrates the value to victims of hacks or data breaches in swiftly applying to the courts for injunctions. Not only was the court willing to make a range of orders against an anonymous hacker—including that he identify himself on penalty of a finding of contempt of court—but the claimant was also able to use the orders granted against the defendant to swiftly have its data removed or rendered inaccessible from websites on which it was posted. Website hosts, even if based overseas, tend to react favourably when presented with a court order demonstrating that information on their servers is confidential and the product of malicious hacking.

The judgment also shows that victims of blackmail threats to publish confidential or sensitive information should not be held back from seeking relief by a fear of publicity. The court was alert to the need to adapt its procedures so as not to discourage blackmail victims from seeking justice, such that the hearings were held in private, the claimant anonymised (or pseudonymised), and the court file sealed.

Following this judgment, it is likely to become the norm to seek a self-identification or ‘Spartacus’ order whenever a non-disclosure order is sought against a unknown defendant, Nicklin J making clear that such orders may well be justified where a claimant has satisfied section 12(3) of the Human Rights Act 1998 (HRA 1998) as otherwise, remedies are unlikely to be effective.

What was the background?

The claimant was a UK company which received an email from the defendant stating that the company’s servers had been hacked, and all the data copied. The defendant attached sample documents and provided a link to a password-protected ‘cache website’ containing a copy of the data. He stated that he would delete the data if the company paid him £300,000 (via Bitcoin) within two weeks, but if it did not pay then he would make the data public. The email also stated that any contact with the police would similarly lead to the claimant’s information being published. The claimant investigated and found that it had indeed been the victim of a hack, with a very large quantity of its data being copied.

The claimant immediately reported the matter to the police. It also communicated with the defendant, requesting extensions of the deadline and further assurances. The defendant engaged, although he raised his price and threatened to look for buyers. He did, however, offer to accept payment in instalments.

The claimant then applied, without notice, for an interim non-disclosure order, and for an order for delivery up and/or destruction of the stolen data.

At the first hearing, Bryan J, sitting in private, granted the injunction for a three-week period. He anonymised the claimant, on the basis that it was a victim of blackmail, and restricted access to the court file. He was satisfied that the requirements of HRA 1998, s 12(2) and (3), were met. The blackmail element and the risk of publication if the defendant were notified of the application constituted compelling reasons why he had not been so notified.

The judge permitted the order to be served by email, as the only method available. The defendant replied defiantly, and then again to state that he had removed the password protection from the cache website, such that it was publicly accessible. He also stated that he would email the claimant’s customers the following Monday.

Separately, however, the claimant had identified the company hosting the cache website, and had obtained from the court of the relevant jurisdiction an order for it to block access to the cache website, with which it complied.

The defendant emailed the claimant to state that he had set up another website hosting the documents, and that he was looking for buyers for the data. The claimant identified companies hosting websites containing the data, including postings on a financial forum, all of which blocked access to or removed them following service of Bryan J’s order.

Thereafter the defendant made further threats of publication, although he did reduce his asking price to £100,000.

What did the court decide?

On the return date, Nicklin J continued the injunction. The defendant had continued to threaten to publish the information unless paid a large sum of money—indeed, the postings on the forum appeared to be by him, and thus in direct breach of the order.

The court was satisfied that the claimant was likely to establish that the circumstances in which the defendant came to be in possession of the relevant information—by hacking—imposed an obligation of confidence on him (Imerman v Tchenguiz [2010] EWCA Civ 908, [2011] 1 All ER 555). The defendant had not suggested there was any public interest which might justify such publication. HRA 1998, s 12(3), was therefore satisfied. The defendant’s failure to deliver up or delete the stolen data was a breach of the order and further supported its continuation.

Because the defendant was seeking to blackmail the claimant, and it was necessary to hear submissions as to the defendant’s activities and the data that was stolen, the court heard the application in private, anonymised the claimant, and sealed the court file.

Nicklin J also made an order that the defendant identify himself (the ‘self-identification’ or ‘Spartacus’ order), noting that such an order was necessary if any remedies against the defendant were to be effective.

Given the possibility that the defendant was resident abroad, the judge also granted the claimant permission to serve out of the jurisdiction. The detriment the claimant would suffer would be within the jurisdiction, and the threatened publications would include publication within the jurisdiction, such that both limbs of CPR PD 6B, para 3.1(21) were satisfied.

Interviewed by Robert Matthews.

Related Articles:
Latest Articles:
About the author: