Orders Against Unknown Persons – a development in Australian data breach litigation

It is sometimes taken for granted in a data breach response that there is no utility in suing threat actors who are unknown and often located overseas in jurisdictions not amenable to cross-border litigation. However, the recent decision of the Supreme Court of New South Wales in HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71 demonstrates that there can be grounds to sue unknown threat actors – and sometimes it may be necessary for a party to take injunctive steps to protect its claims of confidentiality.

The HWLE Data Breach

The facts of the HWLE data breach are well-known. In April 2023, a group named AlphV or Blackcat accessed HWLE’s servers and exfiltrated 3.6 terabytes of data comprising 2.4 million files. The data included client files belonging to 65 government agencies and departments (including Home Affairs and Defence), major banks, insurers and numerous ASX-listed companies. The threat actors then attempted to ransom HWLE and on 9 June 2023 published some of the stolen data on the dark web.

The Proceedings

On 12 June 2023, the Court granted interlocutory relief against the threat actors as a class of “those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems.” The orders were served by HWLE by email to the address from which the firm had received the ransom. HWLE received a three word expletive response.

The Court subsequently made orders for substituted service of a statement of claim. The threat actors did not appear and HWLE made an application for default judgment, which was set down for hearing on 26 November 2023.

The Court considered the following issues in determining whether to grant the final relief sought by HWLE:

  1. Service Issues. The pleading was served on the threat actors in accordance with the orders for substituted service and the Court exercised its discretion to allow service on persons outside of Australia.

  2. Entitlement to and Scope of Default Judgment. It is a unique feature of this case that the persons against whom relief was sought were unknown. The Court referred to the decision of the English High Court in Armstrong Watson LLP v Persons(s) Unknown [2023] EWHC 1761 (KB) at [13], [14], [20], [22] per Collins Rice J, where the Court granted an injunction in favour of an accounting firm against unknown threat actors. A number of other recent decisions in UK Courts regarding data breaches have resulted in Court making orders against persons unknown. Slattery J in the Supreme Court held the discretionary factors overwhelmingly supported the making of the orders.

  3. A Judgment against “Persons Unknown”. While orders against persons unknown are rare, Australian courts have long exercised jurisdiction to make these orders, including in tort to prevent trespass to land, public nuisance etc. As to the utility of the orders, the Court stated it “cannot know what effect the grant of an injunction will have against persons unknown”. However, the fact the threat actors have a reputation for wilful disobedience to the law does not confer immunity from injunctions and in these circumstances the orders were appropriate. Also, the orders will have utility in preventing potential publishers of the data from disseminating it.

  4. The Form of the Orders. The Court considered whether the orders should provide for HWLE to approach the Court in the future in the event that the identity of any of the threat actors became known. The Court reserved for further consideration the possibility of joinder of individual defendants. It is possible that the identity of some of the threat actors may become known if the Government implements sanctions against those responsible.

Our Insights

From one point of view, the judgments represents a Pyrrhic victory for HWLE. The firm has no realistic ability to enforce the judgment against the threat actors or online publishers overseas. The prospects of recovering the costs of the Supreme Court litigation against the defendants must be close to zero.

However, the judgment also represents the important fact of HWLE having taken reasonable steps to protect confidential information belonging to its partners and clients that was stolen in the data breach. As the decision of the High Court in Glencore International AG v Commissioner of Taxation [2019] HCA 26 demonstrates, seeking an injunction to protect stolen confidential information is often a necessary step if the party wishes to maintain its claim for confidentiality. A failure to seek an injunction might (in certain circumstances) become evidence of waiver of that claim.

The judgment also noted that the effect of the orders may be to dissuade potential publishers and online platforms from further disseminating the stolen data. This was no doubt a strategic consideration motivating the plaintiffs in seeking the injunctions.

Our privacy and data protection team are at a forefront of data breach litigation. Please reach out to discuss any aspect of this area further with our team who would be happy to assist.