Orders Against Unknown Persons – a development in Australian data breach litigation
Written By
Partner
Australia
I am an experienced litigation and investigations lawyer based in Sydney, leading Bird & Bird's Australian disputes and investigations practice and co-leading our global Defence and Security practice.
Senior Associate
Australia
I am a senior associate in our Dispute Resolution Group in Sydney, specialising in media and technology disputes, commercial litigation and privacy and cybersecurity advisory work.
Senior Associate
Australia
I am a senior associate in the Dispute Resolution team at Bird & Bird specialising in commercial, corporate, contractual and insolvency litigation.
Related
Practices
Regions
Countries
It is sometimes taken for granted in a data breach response that there is no utility in suing threat actors who are unknown and often located overseas in jurisdictions not amenable to cross-border litigation. However, the recent decision of the Supreme Court of New South Wales in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 demonstrates that there can be grounds to sue unknown threat actors – and sometimes it may be necessary for a party to take injunctive steps to protect its claims of confidentiality.
The HWLE Data Breach
The facts of the HWLE data breach are well-known. In April 2023, a group named AlphV or Blackcat accessed HWLE’s servers and exfiltrated 3.6 terabytes of data comprising 2.4 million files. The data included client files belonging to 65 government agencies and departments (including Home Affairs and Defence), major banks, insurers and numerous ASX-listed companies. The threat actors then attempted to ransom HWLE and on 9 June 2023 published some of the stolen data on the dark web.
The Proceedings
On 12 June 2023, the Court granted interlocutory relief against the threat actors as a class of “those persons who carried out or participated in the unauthorised exfiltration of…
