For businesses dealing with confidential client data, malware attacks by those intent on blackmail can represent an existential disaster. However, as a High Court ruling showed, there is a great deal that the law can do to help them.
A firm providing accounting, tax and financial advice to its clients was the subject of a ransomware cyberattack. Hackers compromised its IT system and obtained a large volume of its confidential electronic documents. They threatened to disclose or sell the information, including on the dark web, unless a ransom was paid.
After the firm launched proceedings, an interim injunction was swiftly granted. The hackers – who had hidden their identities – were restrained from using or disclosing the information. They were ordered to delete or deliver up hacked documents to the firm, together with a signed witness statement. At a later hearing, the firm sought default judgment against the hackers and to make the injunction permanent.
Granting the orders sought, the Court found that the firm had taken all reasonable steps to bring the interim injunction to the hackers’ attention. However, the hackers had entirely failed to engage in the proceedings. They had put in no defence to the firm’s breach of confidence claim and were already in breach of the interim order, having done nothing to comply with its requirements.
The most likely reason for their failure to respond to the proceedings was that they had no intention of identifying themselves. The Court was satisfied that there was a high risk that they would persist in their course of conduct unless restrained by a permanent injunction, breach of which would be a contempt of court punishable by up to two years’ imprisonment or an unlimited fine. Although it remained open to the hackers to apply to discharge or vary the injunction, they were ordered to pay the legal costs of the proceedings.