The Ince Group Plc v. Person(s) Unknown
The Ince Group Plc v. Person(s) Unknown
[2022] EWHC 808 (QB)
In the High Court of Justice, Queen’s Bench Division
Case QB-2022-001053
Before Justice Saini
Decided on April 01, 2022
Relevancy of the Case: Permanent injunction against unknown persons restraining them from sharing the claimant’s confidential information after a ransomware attack, and seeking authorisation for service through an alternate medium
Statutes and Provisions Involved
- European Convention on Human Rights, 1950 (Article 10)
- Human Rights Act 1998 (Section 12)
- Civil Procedure Rules Part 25A – Interim Injunctions (Practice Direction 5.1(2))
Relevant Facts of the Case
- The claimant is an international commercial law and business services firm. Its internal security team detected a cyber attack on March 13, 2022. Via a ransomware attack, the defendant obtained confidential data of the claimant.
- The defendant is threatening to disclose the claimant’s confidential information in the public domain. The claimant received a communication from the defendant asking for ransom.
Prominent Arguments by the Counsels
- The claimant’s counsel requested the court to conduct this hearing in private. He sought relief of a mandatory nature requiring the defendant to delete, deliver,, or destroy the information they have stolen. The claimant cannot serve a notice to the defendant unless they identify themselves and provide an address for service.
- He relied on the judgements of Clarkson Plc v. Persons Unknown (2017) and 4 New Square v. Persons Unknown (2021). In both these cases, the defendant’s case is unknown.
- The claimant’s counsel also seeks the court’s authorisation for an alternative mode of service. He relies on Linklaters LLP v. Mellish [2019] EWHC 177 (QB) and PML v. Persons Unknown [2018] EWHC 838 (QB).
Opinion of the Bench
- While seeking a private hearing, the claimant has not requested anonymity. This case concerns an ongoing incident of apparent blackmail for stolen information. The claimant is investing in the efforts to trace the defendants. Given the confidential data involved, it is reasonable to conduct this hearing partially in private. However, there will be a public judgment restricted to facts necessary to explain the reasons for the judgment. This will satisfy the open justice requirements.
- The defendant knows that they should not have access to the claimant’s data. Or, they are aware that their actions are criminal in nature. There is a clear indication that they are motivated by money.
- In ransomware injunctions, it is appropriate to proceed without giving notice to the defendants. This is because the notice would trigger the defendant to disseminate confidential information.
- It is not appropriate for the court to go into the nature of data in this public judgment.
- The defendant is not seeking to publicise the claimant’s confidential data for any legitimate reason. Therefore, the court shall grant a prohibitory injunction against the defendant.
- To send the claimant’s evidence to the defendant may lead them to further misuse it. They can also particularise which documents are considered more sensitive.
- There is ample justification for the claimant to be able to serve the defendant through the website they have been communicating with each other.
Final Decision
- The claimant shall not serve the witness statement to the defendant until they identify themselves and provide an address.
- The court grants a prohibitory injunction, with passing instructions for the claimant’s counsel to prepare an order draft.