HCE v UEH & Anor

The Claimant is a company which operates a website allowing people who are married to meet others to have marital affairs. They have applied for an interim non-disclosure order against the Defendants. The First Defendant is registered on the Claimant’s site. He is a web developer and self-declared internet hacker. The Second Defendant is his web development company which the First Defendant says he uses to build websites and hack the internet. The First Defendant has, by his own admission, accessed the Claimant’s IT systems without authorisation and has exfiltrated information. The Claimant contends that that information is highly confidential.

The hearing of the application took place before me on 23 December 2025. The Claimant was represented by Mr Speker KC and Miss Strong. The Defendants were notified of the hearing, although not given formal notice. Their legal representative wrote to the Court in advance of the hearing to say he would not be attending.

At the outset of the hearing, Mr Speker KC requested that the hearing take place in private due to the confidentiality of the material that would be discussed; in the alternative, he asked for the Claimant to be anonymised. I decided that the parties should be anonymised, but that the hearing should take place in public, and that the judgment in this matter should be contained in a document available to the public.

I granted anonymity because, although this constitutes a derogation from the open justice principle, in a number of judgments of this Court it has been recognised that there is a legal policy to protect the identity of victims of blackmail attempts, including corporate victims: see PML v Person(s) Unknown [2018] EWHC 838 (QB) at [15]. The present case, at least arguably, involves a blackmail attempt by the First Defendant. I also grant anonymity to the Defendants as I have not heard argument from them on this point and I give them the benefit of the doubt, pending a full inter partes hearing or trial, as to their position on anonymity.

Furthermore, it is was clear to me that naming the Claimant could give rise to a breach of the Article 8 (right to private life) Convention rights of users of the Claimant’s website. That was not because there was a risk that their identities would be revealed either at the hearing of the application or in this judgment, as there was no need to refer to their specific identities. There was a clear risk, however, that their use of the website could become known to their spouses, which was something which they did not wish to occur, if the name of the Claimant was publicised. The name of the Claimant is substantially similar to the name of the payee that appears on the credit card or bank statements of website users, rather than the name of the dating platform itself. If the members’ spouses looked at the credit card statements or bank statements, with knowledge of the name of the Claimant in this case, it would be possible for them to work out that their spouses were using the site.

After dealing with these preliminary matters, Mr Speker KC made oral submissions to supplement his skeleton argument. At the end of his submissions, I announced my decision to grant the interim non-disclosure Order and, after further submissions as to the content of the Order, I informed the Claimant of the terms of the Order that I would make. I explained that I would give my reasons at a later date. What follows sets out my reasons.

The Claimant is a technology company whose business includes the operation of an online platform through which it provides dating services to users: its members. The platform allows its members to connect with other individuals for the purposes of engaging in discreet romantic experiences. It is specifically aimed at married people who are looking to have extra-marital affairs.

In order to facilitate discreet connections members are invited to set up ‘profiles’, through which they can connect and interact with other users and engage in private conversations. Different levels of membership are available, offering additional features. Members may use aliases or false images to protect their identities and retain anonymity, although not all do. The platform incorporates features designed to protect and safeguard the privacy of members' identities and communications.

The Claimant collects and processes data relating to its members, including their names, email addresses, sexual orientations, likenesses and private messages. The Claimant’s internal database includes a spreadsheet which contains approximately 1 million rows currently containing data.

The First Defendant was an active member of the platform, registering on 20 October 2020. On that date, he messaged the platform’s support team offering to provide website support in exchange for lifetime membership; he made a similar offer on 26 October 2020. The offers were not taken up.

On 15 December 2025, the Claimant became aware that a data breach had occurred and subsequently identified the First Defendant as being responsible. The breach appears to have taken place between 4th and 12th December 2025.

It is believed that the First Defendant, and possibly the Second Defendant, are in possession of a very large volume of user data such as usernames, profile descriptions, gender preferences, age ranges, location data and message metadata (including usernames of members to whom messages have been sent and/or received, including the contents of such messages). It is also believed that the Defendants are in possession of photographs which were stored by the platform.

On 17 December 2025, the Claimant’s solicitors wrote to the First Defendant setting out potential legal action in respect of his unlawful access to the databases, seeking delivery up of the confidential information and the provision of written undertakings. On 18 December 2025, the First Defendant responded. He acknowledged that he did not have explicit permission to perform “security testing”, but that stated that he was acting in his capacity as “a white-hat hacker (ethical hacker)”. He explained that his “intent was always to identify vulnerabilities to help improve the security of your platform, not to exploit or damage your systems.” He said that his actions were “aimed at identifying and verifying an existing vulnerability, not exploiting it for personal gain.”

The First Defendant said that he had not deleted the data that he had accessed, and was retaining the data securely until “both the vulnerability is resolved and this matter is fully addressed”. The First Defendant stated that the data included “sensitive information such as Politically Exposed Persons (PEPs)”, and that it was securely stored in an encrypted format to ensure it is fully protected from unauthorized access. The data will not be used, shared, or disclosed for any improper purpose. The First Defendant said that the data was held solely for legal and investigative purposes and “to ensure I can provide evidence related to this matter if required. Once both the vulnerability is fully addressed and this legal matter is resolved, I will either delete or return the data in accordance with applicable data protection laws and any necessary legal requirements.” The First Defendant denied that he had “knowingly or recklessly retained or misused this data in violation of the Data Protection Act 2018 (DPA)”.

With respect to the “resolution” of this matter, the First Defendant stated that “While I am open to resolving this matter privately and without escalation, I want to make it clear that I reserve the right to file a formal complaint with the Information Commissioner’s Office (ICO) if this situation is not resolved amicably and in accordance with data protection laws.” The First Defendant stated that the Claimant could be subject to “substantial ICO fines should they be notified. Should I be compelled to escalate this matter, it is my professional opinion that your client could face the upper range of ICO fines due to their failure to implement basic security measures and the lack of necessary protection for user data.” The First Defendant urged the Claimant to take this matter seriously and engage in a constructive dialogue to resolve the issue “before that becomes necessary. I remain hopeful that we can come to a resolution without involving the ICO.”

The Claimant’s solicitors responded to say that legal proceedings would be issued. Solicitors were then instructed by the First Defendant, who wrote on 22 December 2025 to offer the Claimant undertakings: (i) not to disseminate the data “(allegedly) extrapolated from your client’s website”; and (ii) to confirm that any data would be locked securely in a highly encrypted vault, the password to which would be accessible only by the First Defendant. These undertakings were not regarded by the Claimant as adequate, as they were not undertakings made to the Court and they did not include delivery up or deletion of the data.

The test for interim relief is that set out in American Cyanamid Co. (No. 1) v Ethicon Ltd. [1975] AC 396. That is, is there a serious question to be tried? Where does the balance of convenience lie? Would damages be an adequate remedy? Where, as here, the Claimant seeks mandatory orders, the Court should consider whether it has a “high degree of assurance that the [claimant] will be able to establish” his claim at trial: see Zockoll Group Ltd. v Mercury Communications Ltd. [1998] FSR 354 at p.366. In my judgment, the enhanced American Cyanamid test is made out.

The First Defendant has acknowledged that he has accessed information belonging to the Claimant, and that he was not authorised to do so. The First Defendant has not agreed to return that information as requested, rather he has said that he is “open to resolving this matter privately and without escalation”, but reserves the right to make a complaint to the ICO and has referred to the fines that the ICO can impose.

It seems to me that it is strongly arguable that the First Defendant has acted unlawfully in obtaining, examining and then retaining the Claimant’s information, information which is plainly confidential – the overall package of information is confidential to the Claimant, and some of the individual pieces of information that the Defendants retain is likely to be confidential to the Claimant’s members (I refer to the Defendants in the plural, as it is possible that the information is held by the Second Defendant as well). The First Defendant appears to have examined the information, or at least some of it, as he refers to the data including information relating to Politically Exposed Persons. The First Defendant has not offered to return or delete the information as part of the proffered undertakings, and the Defendants continue to retain it.

Furthermore, it is strongly arguable that the First Defendant has retained the information as part of a blackmail attempt. Whilst the First Defendant has referred to himself as an “ethical” or “white hat” hacker, and whilst it may well be the case that his actions have exposed vulnerabilities of the Claimant’s website and the strength of its protections for the information that it holds, an arguable inference from the First Defendant’s language is that he is threatening the Claimant that, if his terms are not agreed, he will refer the Claimant to the ICO. The First Defendant has not articulated what his terms are, but they could well include a financial payment.

Against this background, it is clear that the Claimant has a strongly arguable claim for breach of confidence. A duty of confidence extends to an individual who has obtained confidential information intentionally and without authorisation: see Imerman v Tchenguiz [2012] Fam 116 at [66]-[67]. Furthermore, there is a breach of confidence for an individual to examine and retain confidential documents: see Imerman at [36].

Further, damages would not be an adequate remedy. The information that the First Defendant retains is of real value to the Claimant’s business, and also to those of its members.

The balance of convenience strongly falls in favour of the grant of interim relief: the Defendants have no legitimate basis to retain the information. If the First Defendant wishes to discuss the vulnerabilities of the Claimant’s website, then he is free to do so without holding onto the information that he has exfiltrated. That would be more in keeping with what I am told is the modus operandi of an ethical or white-hat hacker.

I also do not consider that Article 10 of the Convention is engaged. The First Defendant has not said that he is proposing to disclose the information that he has obtained. Section 12(3) of the Human Rights Act 1998 is not engaged, therefore.

The Claimant is, therefore, entitled to much of the interim relief that it has sought. This includes delivery up or destruction of the information. The Defendants have no justification for holding on to the information. I do not consider that the Claimant is entitled to an order requiring the First Defendant to explain how he exfiltrated the information. That is an unusual form of order: it may involve the First Defendant in incriminating himself which he ought not be compelled to do, without further argument as to the appropriateness of such an order.

For the foregoing reasons, therefore, I grant the application for interim relief.