Practical assistance from the Courts in relation to ransomware attacks: XXX v Persons Unknown (2022)

We consider the facts and explore the practical outcomes of the case in this article. 

Facts 

In March 2022, the claimant (who remains anonymous for the purposes of this claim) received a ransom note, notifying them that they had been the victim of a cyber-attack in which cyber attackers had obtained and downloaded the claimant’s databases, server and encrypted files and had made them inaccessible to the claimant. The claimant’s business related to the provision of technology-led solutions for projects of national significance and as such the data obtained was highly classified, security-sensitive information that was protected by the Official Secrets Act 1989. The attackers demanded a ransom of USD 6.8 million in exchange for the decryption and non-disclosure of the data. The claimant made a without notice application and, on 30 March 2022, the Judge (Stacey J) granted an injunction which prohibited the attackers from using or disclosing the data that they had obtained from the cyber-attack. This injunction was continued at a subsequent hearing by another Judge (Chamberlain J) until trial or further order. 

The claimant then brought proceedings for breach of confidence, claiming both a permanent injunction and damages. The claimant subsequently sought a summary judgment in respect of the permanent injunction. 

Breach of confidence claims

In order to succeed with a claim for breach of confidence, the claimant must establish that (Attorney General v Guardian Newspapers Ltd (No. 2) [1990] 1 AC 109) the information:

1. has the necessary quality of confidence; 
2. that the defendant came to know of what was being said in circumstances importing an obligation of confidence; and 
3. that there had been unauthorised use or a threat to use that information to the detriment of the owner of the information.

Remedies available for breach of confidence include an injunction, an award of damages or account of…