XXX v Persons Unknown

This is an application by the claimant, a commercial entity with a substantial international business. On or shortly before 24 March 2022, it fell victim to a ransomware attack. At 6.00 a.m. on 24 March, it received a ransom note saying that cyber attackers had downloaded to their servers the claimant’s databases, FTP server, and file server and that they had encrypted files from the claimant’s computers making them inaccessible to the claimant. The attackers provided two email addresses and said that they would regard any failure to contact them as a refusal to negotiate.

On 26 March, the attackers demanded a ransom of US$6.8 million in exchange for decryption and non-disclosure of the downloaded information.

At about 3.00 p.m. on 28 March 2022, the attackers provided to a firm instructed by the claimant proof that they did, indeed, have the files or some of the files they claimed to have hacked.

At 14.26 on 29 March, the claimant’s instructed consultants received an ultimatum indicating that the attackers would post information on their platform and start uploading information which they had downloaded from the claimant’s servers. At that point, the claimant immediately instructed solicitors to make an application without notice. The application came before Stacey J at about 1.00 a.m. on 30 March 2022. Stacey J granted a without notice injunction prohibiting the attackers from using or disclosing the data they took during the attack. The order contained confidentiality provisions and a permission for alternative service on the two email addresses provided by the attackers in their ransom demand. That order was provided by the court in sealed form at 10.51 on 30 March and was thereafter served on the attackers at the email addresses indicated in the order. About two hours later, an email was received from the same email address in defiant terms. I have read the terms of that email and I accept that it shows, as submitted by Mr Wandowicz for the claimant, that the attackers have, indeed, received a copy of the order. The order provided within it for a return date which was today and so it can be safely assumed that those who have perpetrated the cyberattack I have mentioned have received notice of today’s hearing. No further response from the attackers has been received since then.

Mr Wandowicz very properly draws to my attention two mistakes which were made by those instructing him for which he also takes responsibility. The first was that no full note was taken of the hearing before Stacey J, only the judgment she gave. The second is that after the hearing before Stacey J but before the proceedings were served, it became clear that it was necessary to redact parts of the evidence which was deployed before Stacey J and no permission for doing that had been sought or granted by Stacey J. However, Mr Wandowicz makes the point that in the absence of any response from the attackers indicating that they intend to participate in the proceedings, they are not prejudiced by either of these two errors. I have considered the written explanation given by Mr Wandowicz for these errors. I accept that there is a proper explanation given and that the errors are understandable given that the hearing before Stacey J took place at about 1.00 a.m. and that the solicitor who attended it was not familiar with the procedure for interim relief applications. I also agree with Mr Wandowicz that no prejudice whatsoever has been caused by either of the two errors given the complete non-engagement by the attackers with these proceedings so far.

The application before me today is for continuation of the injunction granted by Stacey J with certain modifications. I deal first with the application to continue the injunction but before I go on to that, I should indicate that, as I said at the beginning of this hearing, I am entirely satisfied that it has been necessary to conduct the hearing today in private as I indicated before. I made a direction under CPR r.39.2 that it was necessary to proceed in private to avoid undermining the object of the application before me. In making that direction, I have regard to Practice Guidance (Interim Non-disclosure Orders) [2012] 1 WLR 1003 at [40] which indicates that the default position is that hearings such as this on a return date should be in public. As CPR r.39.2 makes clear, a cogent evidence basis is required to derogate from that default position but, as I also made clear, such a basis is shown in this case. In particular, if I had held this hearing in public, I would thereby have disclosed matters which would further the object of the apparently criminal cyberattack which appears to have been perpetrated in this case. Therefore, for the reasons given by Nicklin J in the case of PML v Person(s) Unknown [2018] EWHC 838 (QB) at [14] - [16], I was satisfied that it was strictly necessary for this hearing to be conducted in private.

For the same reasons, I was also satisfied that the claimant should continue to be anonymized in these proceedings. The claimant appears to have been the victim of blackmail. If the claimant was not anonymized, I am at this stage satisfied that the object and purpose of the blackmail and of the cyberattack would be furthered and this court should not lend its procedures to the furtherance of any such purpose. If at a later stage any third-party affected by these proceedings wished to submit to the court that the identity of the claimant should be made public, it would be entitled to do so by making an application to the court under the liberty to apply which the draft order contains.

The terms of the order are modelled on the draft order which is contained in the practice note on interim nondisclosure orders, which I have already mentioned. There are some modifications and Mr Wandowicz has very properly taken me through each of the modifications one by one so as to explain the basis for the modification and the reason why it has been made. Before I come to those modifications, I perhaps ought to indicate that I have considered the question of extension of Stacey J’s order. In principle, I am satisfied on the basis of the evidence I have seen that there is not only a serious arguable case – the threshold for granting interim relief set out in American Cyanamid Co (No 1) v Ethicon Ltd [1975] AC 396 – but an overwhelming case for injunctive relief. The defendants have been given every opportunity to respond to the application and have declined to do so. In the light of the evidence and the lack of any response, it seems to me clear that the test for the grant of interim relief is amply satisfied. There are no discretionary factors which tell against the grant of relief and therefore, in principle, relief ought to be extended.

As to the modifications that have been made to the form of order set out in the practice direction on interim non-disclosure, as I indicated, Mr Wandowicz has taken me through those and I am satisfied that all of the modifications are justified.

Taking them one by one, in para.6 of the order, the defendants are required to identify themselves to the claimant and the court. That order, or an order in substantially those terms, was made by Nicklin J PML v Persons Unknown (to which I have already referred) at [17]. As Nicklin J said in that case, it cannot be assumed that all defendants will choose defiance even if that remains a possibility.

At paras 8 - 9, there are certain modifications made to the model order but I am satisfied that those modifications are proper ones in this particular case. They include a requirement that no copies of the skeleton arguments or other filings may be provided to any person without further order of the court. The reason for that should be obvious what I state it nonetheless. The evidence and skeleton arguments in these proceedings divulge features of the information which appears to have been stolen which might assist anyone with malicious intent to identify that information. I interpolate here that some of the information has already been published but it has been published in circumstances where it has not come generally to the attention of the public and there is no reason to suppose that it will do unless further publication occurs.

Paragraphs 11 - 12 of the order make certain modifications which are necessary in this case. As to para. 11, that provides retrospective permission for redactions to the evidence and skeleton argument used in the without notice application before Stacey J. I am satisfied that there was a proper basis for making those redactions even though, in an ideal world, permission should have been sought from Stacey J. Applications made at 1.00 a.m. before the duty judge are not, of course, made in an ideal world and, as I have said before, it is understandable that the error was made. In any event, I am satisfied that the redactions made are proper redactions at least at this stage where the defendants have shown no inclination to participate in these proceedings in any way whatsoever. Paragraph 12 provides that the claimant need not serve any further documents unless the defendants identify themselves and show interest in the proceedings. That order tracks one which was made recently in The Ince Group PLC v Person(s) Unknown [2022] EWHC 808 (QB) at [14] by Saini J. For the reasons he gives, I am satisfied that such an order is entirely appropriate at this stage. Further consideration may have to be given at a later stage to the way in which the material currently redacted is dealt with in the proceedings but it would be disproportionate for that consideration to be required to be given at this stage where, as I have said, the defendants have evinced no inclination to participate in these proceedings.

Paragraphs 13 - 14 require the disclosure of information within twenty-four hours of service of this order. I am satisfied that that order is also one which is necessary in this case. If the defendants wish to participate in these proceedings or to argue why that order should not have been made, there is a provision in the order which allows them to do so. In the absence of any response and on the basis of the materials I have seen, I am satisfied that the order in the form of paras 13 - 14 is a proper one.

Paragraph 18 provides for modifications of the ordinary provisions allowing third parties to access the papers in this case. Its effect is that material can be shown only to parties who already have the claimant’s information in their possession. If any other party wishes to see the materials upon which the applications to Stacey J or to me were made, that party can apply to the court. Unless such an application is made and granted, there is no reason why a third-party should have access to the materials at this stage.

Paragraph 28 requires the claimant to take steps to prosecute these proceedings, including but not limited to issuing an application for a default or summary judgment. There are provisions dealing with service which mirror those granted by Stacey J. I have struck from the draft order the provision proposed as to costs because it seems to me that, at this stage, there is no point in making an order for costs. However, I will replace what was sought in the draft order with an order that costs be reserved.

If I have not dealt with every single provision in this order, that is because either it is a slight modification of the model order and the reasons for the modification are obvious, or, if not, the terms are not so significantly different from the draft order as to require explanation. Those then are my reasons given in private for granting the order in substantially the terms sought by Mr Wandowicz on behalf of the claimant but with the minor modifications I have mentioned and some other minor modifications.

I am going to ask you, please, to produce the order. It will be clear from my judgment and perhaps I ought just to make this clear as well for the transcript that I am entirely satisfied that the claimant is likely, and by likely, I mean more likely than not, to obtain final relief in the form set out in this interim order or substantially the same form. That means that the test in s.12 of the Human Rights Act 1998 is satisfied if that test applies. However, I see good grounds for questioning whether any right to freedom of expression is actually engaged here at all given that, on the evidence before me, the only purpose of disclosure in this case appears to be to further a criminal blackmail attempt. I doubt, in those circumstances, that the fact of disclosure engages the defendants’ rights to freedom of expression at all for very much the reasons given by Saini J the Ince Group case. If that right is engaged, as I have said, the right is wholly outweighed, for the purposes of this application at least, by the claimant’s confidentiality interest in the matters the subject of the cyberattack.

__________