Relief Granted Against Unknown Hackers – a Landscape Decision amid a New Cyber World
The Supreme Court of New South Wales (‘NSW’) judgment in HWL Ebsworth Lawyers v Persons Unknown [2024], has signified the necessity for the Australian Legal System to adapt to the ever-evolving landscape of cybersecurity law.[1]
The landmark decision reflects the possibility for protections in the way of injunctive relief to refrain unknown defendants from publishing or disclosing data obtained in cybersecurity breaches.
The Facts
April 2023 – HWL Ebsworth Lawyers (‘HWLE’) received an email from a group of unknown cyber hackers named “Blackcat”. The hackers alleged they had infiltrated HWLE’s systems and extracted up to 4TB of confidential data. The extracted materials included sensitive legal advice provided to Australian government entities. The group threatened to disclose the extracted information if HWLE did not provide Blackcat with their demanded ransom. Upon HWLE’s refusal to pay the ransom, the cyber hackers made some of the stolen data available on the dark web.
The Outcome
June 2023 – In response to the data breach HWLE were successful in granting an interlocutory injunction against the defendant. As the hackers were unknown, HWLE managed to classify Blackcat as a class ‘those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems’.[2] Fortunately, The Supreme Court of NSW accepted this class was sufficient to seek an injunction remedy. Slattery J determined that the class was adequately precise and did not contravene the proposition that injunctive relief is not available against the world at large.[3]
February 2024 – Slattery J made the interlocutory order final. Thereby, HWLE were granted a permanent injunction against the online hackers refraining the hackers and other parties more broadly from transmitting, publishing or facilitating the publication, or using for any other purpose, the stolen data. Other parties could include HWLE’s own clients and online media publications.
Some Reflections
Notably, the court explained the effects of an injunction against “persons unknown” cannot be determined for sure.[4] However, the injunction would have utility by usefully notifying “potential publishers of the data [breach] to reinforce to such persons that they should not take any steps to frustrate the effectiveness of the Court’s orders”.[5] Thus, in accordance with HWLE’s submission, the court delivered a clear message that the sensitive nature of having confidential data exfiltrated, should not be exacerbated by third-party dissemination of exfiltrated materials.
In a world governed by technological advances in which a business’ reputation relies profoundly on its online presence, the efforts by the courts to support the reduction of further dissemination of stolen data should be welcomed. The courts approach reflects the ability to eliminate and minimise data breaches and third-party resharing of data through legal frameworks.
Evidently, as technology continues to advance so too do the myriad of criminal activities occurring online. The court’s judgement in this matter reflects a pragmatic approach in supporting business practices amid an ever-advancing technological world. Seemingly, it is essential that courts practice laws that reflect the safeguarding of businesses, and individuals more generally against cybercrime.
[1] NSWSC 71.
[2] Ibid para 13.
[3] Maritime Union of Australia v Patrick Stevedores Operations & Anor (1998) 4 VR 143.
[4] (n 1) para 37.
[5] (n 1) para 37; Grant-Taylor v Jamieson (2002) 11 BPR 21,023; [2002] NSWSC 634 at [9]–[15] per Barrett J.