HWL Ebsworth Lawyers v Persons Unknown

Supreme Court

New South Wales

• Amendment notes

Medium Neutral Citation:	HWL Ebsworth Lawyers v Persons Unknown [2024] NSWSC 71
Hearing dates:	24 November 2023, 18 December 2023 last written submissions received, decided on the papers.
Date of orders:	12 February 2024
Decision date:	12 February 2024
Jurisdiction:	Equity
Before:	Slattery J
Decision:	Default judgment entered against the defendants described as unknown persons including orders for injunctive relief to restrain the defendants from dealing with the plaintiffs’ confidential information.
Catchwords:	EQUITY - Equitable remedies - Injunctions - Breach of confidence - Conduct constituting breach - restraining third parties from using confidential information - unidentified Internet hackers steal data from private databases controlled by the plaintiffs – the plaintiffs are partners conducting legal practice in a national law firm – plaintiffs filed proceedings by summons and are granted an interlocutory injunction against “persons unknown” – orders made to bring the summons and affidavits in support to the attention of the unknown actors who stole the data – the unknown actors do not appear – plaintiffs seek to enter default judgment against the unknown actors –– whether the data taken from the plaintiffs was identifiable, whether it had the necessary quality of confidence, whether it was received by the defendants in circumstances importing an obligation of confidence and whether there is actual or threatened misuse of the information. CIVIL PROCEDURE — Parties — Joinder — Of defendants – whether default judgment can be entered against the defendants, described as persons unknown – whether the Court should grant injunctive relief against the defendants, described as persons unknown – what allowance should be made for the possibility that persons presently described as persons unknown may later be identified and further relief sought against them.
Legislation Cited:	Civil Procedure Act 2005, s 61(g) Uniform Civil Procedure Rules 2005, rr 11.4, 11.5, 11.8AA, 11.88AA, 16.1, 16.4-8, 16.10, 18.5, Schedule 6
Cases Cited:	Australian Competition and Consumer Commission v Chen [2003] FCA 897 Australian Hardboards Ltd v Hudson Investment Group Ltd [2007] NSWCA 104 Agar v Hyde (2000) 201 CLR 552 Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761 (KB) Bloomsbury Publishing Group Ltd &Anor v News Group Newspapers Ltd &Ors [2003] EWHC 1205 (Ch) CLM v CLN and Others [2022] SGHC 46 Corrs Pavey Whiting & Byrne v Collector of Customers (Vic) (1987) 14 FCR 434 at 443; [1987] FCA 266 Dandaloo Pty Ltd v Iali [2017] NSWSC 1738 Electricity Commission of New South Wales v Arrow (Unreported, NSW Sup Court, 7 December 1990) Hodgson J Hutchinson v AD Securities America LLC [2021] NSWSC 1573 Jacek Gnych v Polish Club Limited [2016] NSWSC 987 Maritime Union of Australia v Patrick Stevedores Operations & Anor (1998) 4 VR 143 McDonald’s Australia Ltd v Watson [2013] VSC 502 Nesor Nominees Pty Ltd v Big Boys BBQ Qld Pty Ltd [2019] FCA 1208 Obela Fresh Dips and Spreads Pty Ltd v Coetzee [2020] NSWSC 1862 PML v Persons Unknown [2018] EWHC 838 (QB) Stone v WXY [2012] EWHC 3184 (QB). State Bank of New South Wales Limited v N.A. Macdonald (Unreported, Cole J, 17 January1992, BC9202104 at 3) Wolverhampton City Council and others (Respondents) v London Gypsies and Travellers and others (Appellants) [2023] UKSC 47. X v Y & Z [2017] NSWSC 1214 XXX v Persons Unknown [2022] EWHC 2776 (KB)
Texts Cited:	Spry, Equitable Remedies (8th Ed, 2014, Lawbook Library)
Category:	Principal judgment
Parties:	Plaintiff: Juan Jose Martinez as Trustee for the Martinez HWL Practice Trust and others (as mentioned in the attached schedule) trading as HWL Ebsworth Lawyers
Representation:	Counsel: Mr T Maltz on behalf of HWLE Ebsworth Lawyers Solicitors: Mr Andrew Miers, HWL Ebsworth Lawyers
File Number(s):	2023/00188190
Publication restriction:	No

Judgment

1. The plaintiffs, Mr Juan Martinez and others, the national law firm HWL Ebsworth Lawyers (“HWLE”) seek to make final an interlocutory injunction granted in their favour. The injunction was granted to prohibit the dissemination of information stolen from HWLE by unknown hackers who penetrated HWLE’s computer systems using the Internet. In a default judgment at the conclusion of these short reasons the Court makes the interlocutory injunction final.

2. The proceedings first came before me on 24 November 2023 in the Equity applications list of the Court. HWLE was given liberty to file further submissions which it did on various dates in December 2023. Mr T Maltz of counsel appeared on the application on behalf of HWLE, instructed by Mr Andrew Miers of HWLE. The Court has been much assisted in its consideration of the issues presented in this application by the detailed and careful oral and written submissions of the legal representatives of HWLE.

Unnamed Internet Hackers Penetrate HWLE’s Computer Systems

3. On 26 April 2023, unnamed computer hackers (referred to in these reasons as the “threat actors”) sent messages to HWLE from an identified email address. The threat actors claimed to have stolen data from HWLE. Claiming to be from a group named “ALPHV”, also known as “Blackcat”, the threat actors said they had infiltrated HWLE’s computer systems. Introducing themselves, the threat actors said,

“hello. The largest legal partnership in Australia now have a big problem with your data leak. 4TB data has been downloaded from company file servers…”.

4. The threat actors described the material taken as including valuable internal data of HWLE – “of course it includes absolutely and highly confidential data”– and client documentation including financial and credit card and loan information. The threat actors concluded with an ultimatum seeking amounts of at least $4 million, and saying,

“You have 3 days till Friday, after that we make your post public and if you will still keep silence we will prepare documents for publication.”

5. HWLE was able to verify from its own internal information technology expertise that the threat actors had managed to access and transfer at least two million of HWLE’s files comprising at least 3.5 TB of data out of HWLE’s own servers based at HWLE’s Melbourne office. The process of removal of these files and this data from HWLE’s servers by the threat actors is referred to in these reasons by the term that is used in the expert evidence of Mr Aaron Elliott as “exfiltration”.

6. On 28 April 2023, the threat actors posted to a forum on the “dark web” a claim that they were responsible for the exfiltration of 4 TB of HWLE’s data. The same day the threat actors made another extortion demand. In a parody of a commercial transaction, they wrote to HWLE asking, “[w]hat have you decided? We will make a good discount, suitable for redemption. This is our offer”.

7. Their offer was a threat, which sought further to isolate HWLE and to persuade the firm that the cost of it paying a ransom would be small compared with the consequences of a data publication by Blackcat:

“We warn you that if payment is not made, the information will be published in the public domain. I think you will understand how much the data is worth after publishing it. Upon receipt of reputational damage, fines from the state and courts. You are losing even more money than we asked. For your company, the fact that you pay this amount and forget about it will not matter much.

Do not contact the FBI, police, or other private agencies. They do not care about your organisation, they are not going to buy you out, which entails the publication of files, and then lawsuits, fines.

Do not tell anyone about cases of loss of reputation. Remember, your organisation is only valuable to you.”

8. In an endeavour to ascertain the facts and to retrieve its data, HWLE communicated with the threat actors through the dark web forum the threat actors had used to communicate with HWLE. From these communications HWLE ascertained that the threat actors probably had in their possession the HWLE files and data that they claimed to have.

9. Blackcat is known to the Australian Signals Directorate (“ASD”). ASD is the national body entrusted, among its many functions, to conduct operations to defend Australians and Australian businesses against cyber risks and to conduct offensive cyber operations on behalf of Australia, using the full spectrum of operations required of contemporary signals intelligence and security agencies. ASD has noted in publicly available information that Blackcat, in that name and by various pseudonyms, is a Ransomware–as–a–Service (“RaaS”) affiliate program associated with Russian–speaking cybercrime actors.

10. Using what is known as a reverse IP address lookup tool, HWLE’s IT experts ascertained that the threat actors had used an unauthorised IP address, which can be approximately geolocated in Sofia, in Bulgaria. Reverse IP address lookup tools cannot provide an exact physical address, or the name of any individual connected to the IP address. A virtual private network (“VPN”) can be used to cloak the actual IP address being used, making it impractical to use an IP address to locate an individual. The Court is satisfied that the threat actors involved in the exfiltration cannot readily be identified by HWLE through the analysis of Internet IP addresses.

11. HWLE resisted the pressure from Blackcat and refused to pay the ransom. In the first week of June 2023 the threat actors posted further warnings to their dark web forum and sent another ransom email like that sent on 28 April 2023.

12. The threat actors further responded on 9 June 2023 by making some of the subject HWLE files available on the dark web, in a cache amounting to 1.4 TB of HWLE data. HWLE countered this escalation by filing the Summons in these proceedings, seeking urgent relief against “persons unknown”. HWLE took this course because it could not identify any of the threat actors before the proceedings were commenced.

13. On 12 June 2023 Hammerschlag CJ in Eq granted the interlocutory relief HWLE had requested against the defendants. HWLE’s Summons and the 9 June 2023 interlocutory orders defined the defendants as a class of “those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems.” Apart from defining the class of defendants by what they were alleged to have done to HWLE, the defendants were not otherwise named as individuals in Hammerschlag CJ in Eq’s orders. The interlocutory injunction was modified on 14 June 2023 and was in substantially similar terms to the final relief which is granted in the orders made today.

14. In conformity with the Court’s interlocutory directions for service, on 12 June 2023, HWLE sent the interlocutory orders made by in Hammerschlag CJ in Eq to the defendants at the email address that they had used to communicate the demands and at the forum on the dark web that the defendants had used to make their threats. HWLE sent further information, including the orders and affidavits in the proceedings, to the threat actors on 15 June 2023.

15. Some of the threat actors received this information. On 17 June 2023, HWLE received an emailed response from the email address at which HWLE had served the documents under the Court’s directions. The Court infers from the terse three worded message, “fuck you faggot”, in the response, that some of the threat actors were displeased that HWLE had taken legal proceedings rather than paying the ransom. By 27 June 2023 the sample cache of HWLE data could no longer be found at the dark web forum where it had previously been identified.

16. The Court made orders on 18 July 2023 for substituted service on the defendants as defined in the Summons. The Court is satisfied that on or about 7 August 2023 that a draft Statement of Claim together with the orders for substituted service were served in conformity with the orders for substituted service at the email address and dark web forum address used by the threat actors. Orders were made on 14 August 2023 permitting the filing and confirming substituted service of the Statement of Claim. On 15 August 2023 a Statement of Claim was filed and once again sent by email to the same email and chat forum addresses that were used for the order for substituted service.

17. On 18 September 2023, the Court noted that the defendants had failed to appear and ordered that the plaintiff file a Motion and any supporting affidavit evidence for default or summary judgment and for leave to proceed against the defendants pursuant to Uniform Civil Procedure Rules 2005 (“UCPR”), r 11.8AA. The orders included an order under UCPR, r 10.16, read with UCPR, r 18.5, that the service of the Motion for judgment and affidavit could be affected on the defendants by filing them in Court. The necessary notice of motion and affidavits in support were filed on 27 October 2023. Although the Court’s orders of 18 September 2023 did not require further service of the Motion and affidavits in support on the defendants, they were in fact served at the same email address and dark web forum through which HWLE had communicated with some of the threat actors. The default judgment application was set down for hearing on 26 November 2023 in the applications list.

18. The Court is satisfied that HWLE has served the Statement of Claim in conformity with the orders of the Court and that all reasonable efforts have been made to draw the Statement of Claim and the materials constituting the application for default judgment to the attention of the defendants, as defined.

19. But no defendant has ever appeared, filed a defence to the Statement of Claim or sought to resist the application for default judgment. The defendants are in default of the procedural steps required of them to defend HWLE’s claim for relief against them. HWLE now seeks default judgment including the grant of a permanent injunction in substantially the same form as the interlocutory injunction that has already been granted.

Consideration

20. Service Issues. The Court is satisfied on the evidence and the chronology of events set out above that appropriate steps have been taken to bring to the attention of the defendants the present application for default judgment. Given the nature of the threat actors’ conduct and the limited means of contact with the threat actors that are available, all reasonable opportunities to bring the proceedings to their attention have been taken.

21. The limited available evidence suggests the defendants are probably located outside Australia. Service of the Originating Process in these proceedings, the Summons, outside Australia did not require the prior leave of the Court under UCPR, r 11.5. HWLE’s claims for relief fell within several of the UCPR, Schedule 6, or so-called “long arm”, categories of claim, which excuse any requirement to obtain the Court’s leave before foreign service takes place: UCPR, r 11.4. The Summons and Statement of Claim made clear that HWLE claims an injunction to compel or restrain the performance of an act in Australia – dealing with HWLE’s data in Australia as well as overseas: Schedule 6 (d). The claim relates to property situated in Australia, namely HWLE’s data: Schedule 6 (e).

22. Where an originating process is served on a person outside Australia without prior leave and the person does not enter an appearance, the party serving the document may not proceed against the person served except by leave of the Court: UCPR, r 11.88AA. The requirements of UCPR, r 11.88AA are satisfied here: substituted service has occurred, and no one has entered an appearance. The Court therefore has a discretion whether to grant leave to proceed. The Court is satisfied that leave to proceed against the defendants should be granted under UCPR, r 11.88AA. Discretionary factors favour the grant of leave. This Court is not a clearly inappropriate forum. It is not necessary to evaluate the strength of the case unless the defendants were to appear: Agar v Hyde (2000) 201 CLR 552 at 573-4 (at [50]-[51] and [54] per Gaudron, McHugh, Gummow and Hayne JJ). But HWLE’s case is well maintainable on the evidence.

23. Jurisdiction having been established by service, an equity court has jurisdiction to make orders restraining foreign defendants: X v Y & Z [2017] NSWSC 1214 per Pembroke J at [11]-[12], citing Australian Competition and Consumer Commission v Chen [2003] FCA 897 at [40] per Sackville J; and Spry, Equitable Remedies (8th Ed, 2014, Lawbook Library) at 36.

24. Entitlement to and Scope of Default Judgment. The Court can now enter default judgment against the defendants. The Motion for the entry of default judgment was served in accordance with the Court’s orders. By failing to file a Defence within 28 days of service of the Statement of Claim the defendants are in default: UCPR, r 16.1. They are also in default of the Court’s order of 14 August 2023 for the filing of a defence by 12 September 2023 and the Court can also enter default judgment under Civil Procedure Act 2005, s 61(g).

25. The Court has discretionary power to enter such a default judgment against a defendant as the plaintiff appears to be entitled on the Statement of Claim: UCPR, r 16.10. This discretionary power exists in addition to the Court’s power to enter default judgment in respect of land, goods and liquidated and unliquidated claims: UCPR, r 16.4-8. In the exercise of this power this Court has in the past entered default judgment granting equitable discretionary relief, such as for specific performance, or has indicated a willingness to do so: Dandaloo Pty Ltd v Iali [2017] NSWSC 1738 at [38] per Darke J, and Hutchinson v AD Securities America LLC [2021] NSWSC 1573 per Ward CJ in Eq at [13]. Analogous powers have been exercised in the Federal Court of Australia: see for example, Nesor Nominees Pty Ltd v Big Boys BBQ Qld Pty Ltd [2019] FCA 1208 (see at [13], [17], [30], and [34]), a trademark infringement case.

26. The Statement of Claim seeks injunctive relief against the defendants, restraining them from dealing with HWLE’s exfiltrated data (defined as the “Impacted Dataset”) by placing it on the Internet, transmitting or publishing it, using it for any purpose, or facilitating its publication, without HWLE’s consent. The relief sought extends to any third party in possession of the Impacted Dataset.

27. UCPR, r 16.10 empowers the court to grant the discretionary remedy of the injunctive relief sought in the Statement of Claim. And provided the relief is carefully targeted, there is every reason why the Court should grant injunctive relief in this case. Default judgment has been granted in similar cases of data theft and extortion in other jurisdictions: Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761 (KB) at [13], [14], [20], [22] per Collins Rice J. Here the discretionary factors favouring a grant of relief echo those in Armstrong Watson LLP v Person(s) Unknown. These factors feature the elements of theft compounded by attempted blackmail, defendants concealing their whereabouts and their identities, breaches of the court's orders, deliberate avoidance of the litigation.

28. The Breach of Confidence Case. On the evidence detailed in these reasons which the Court accepts, as it is entitled to do in a default judgment application, HWLE has made out a strong prima facie case of breach of confidence. In the ordinary case the Court can assume on application for default judgment that the pleaded facts above are proven: Obela Fresh Dips and Spreads Pty Ltd v Coetzee [2020] NSWSC 1862 at [20] per Rees J. But here where discretionary equitable relief is sought the evidence adduced allows the Court to act on more than just an assumption about the truth of the pleaded allegations.

29. What a plaintiff must prove to show a breach of confidence is well-established. A plaintiff must be able to identify with specificity the information in question; the information must have the necessary quality of confidence; the information must have been received by the defendant in circumstances that import an obligation of confidence; and there must be actual or threatened misuse of the information: Corrs Pavey Whiting & Byrne v Collector of Customers (Vic) (1987) 14 FCR 434, at 443; [1987] FCA 266 per Gummow J.

20. Examples need hardly be cited, but the theft of confidential records coupled with an attempted extortion will readily give rise to a sound action for breach of confidence, and the case for the grant of injunctive relief will often be “overwhelming” in such cases: see XXX v Persons Unknown [2022] EWHC 2776 (KB) (25 October 2022) at [35] and [40] citing PML v Persons Unknown [2018] EWHC 838 (QB) at [13]. That is what the Court has here.

21. As pleaded by HWLE, the Court is satisfied that the nature of the data on HWLE’s service and the way it was kept demonstrate it was confidential information, which was not available beyond a limited class of persons within HWLE who were bound to keep it confidential. HWLE has not individually itemised the documents that were taken raising the very slight risk that some of the documents were not confidential, but it has been recognised on high authority that to require itemisation in such circumstances would be “oppressive and verging on the absurd”: Imerman v Tchenguiz and Others [2011] 2 WLR 592; [2011] Fam 116 at [78] per Lord Neuberger of Abbotsbury MR and Moses, Munby LJJ. HWLE has a sufficient interest to seek the injunction: it is the owner of its own business secrets, and it has a responsibility to protect client confidences.

22. The surreptitious way that the threat actors accessed the information by breaking into HWLE’s servers gave the threat actors clear notice of the confidentiality of what they were taking. Much of the confidential material has not yet been disclosed, although there is evidence from the Chief strategy Officer of HWLE, Mr Russell Mailler, of a limited degree of dissemination of the material on parts of the dark web not frequented by typical Internet users. But in the Court’s view this limited dissemination has not caused the information to lose its quality of confidence such that it would no longer warrant protection: Streetscape Projects (Australia) Pty Ltd v City of Sydney [2013] NSWCA 2 at [162]. And finally, the extortionate actions of the threat actors in threatening to misuse the confidential information since obtaining it, make it just that they be precluded from disclosing the material.

23. A Judgment Against “Persons Unknown”. As to HWLE’s claim for an injunction against “persons unknown”, Courts in the United Kingdom and other jurisdictions have made such orders to deal with data theft: see for example Bloomsbury Publishing Group Ltd & Anor v News Group Newspapers Ltd & Ors [2003] EWHC 1205 (Ch), [2003] 1 WLR 1633 at [3], XXX v Persons Unknown [2022] EWHC 2776 (KB), Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761 (KB). This jurisdiction has been recently reaffirmed in Wolverhampton City Council and others (Respondents) v London Gypsies and Travellers and others (Appellants) [2023] UKSC 47.

24. In Australia courts have long exercised jurisdiction to make orders against persons whose names are unknown and who have been directly or indirectly involved in acts which would render them amenable to legal remedies including in tort. In Electricity Commission of New South Wales v Arrow (Unreported, NSW Sup Court, 7 December 1990) Hodgson J, at 9 and 11, granted an interlocutory hearing against unnamed trespassers. And in McDonald’s Australia Ltd v Watson [2013] VSC 502, Kyrou J (at [100]) granted such an injunction; Kyrou J distinguished the circumstances in which such an injunction will be granted from an impermissible claim for an injunction against the world at large, such the injunction that was declined in Maritime Union of Australia v Patrick Stevedores Operations & Anor (1998) 4 VR 143 at p159-162.

25. HWLE have sought to define the class of unnamed defendants in these proceedings with as much precision as appears possible in the circumstances, to avoid an impermissible claim of injunctive relief against the world at large. The orders sought describe the defendants as “those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems”. This definition describes the defendants by reason of their involvement in the breach of confidence. The definition is sufficiently broad to cover any person who was actively involved in or facilitated the exfiltration. The act of exfiltration is well described in the Statement of Claim and is a sufficiently unique and narrow series of events that a person’s membership of, or exclusion from, the class of defendants would be known with reasonable certainty by the principal threat actors involved in the exfiltration.

26. But individuals can have varying degrees of knowledge of the original act of exfiltration. Persons who aided and abetted the exfiltration by assisting in the subsequent distribution of the confidential information may have limited direct knowledge of the original exfiltration. But they too would have “participated” in the exfiltration by exporting its product. In this case the obviously confidential nature of a cache of HWLE client and internal information located on the dark web is a signpost to all such participants that they are dealing with product of the original exfiltration. In the Court’s view HWLE has done what is reasonable to differentiate the members of the class of defendants from the whole world by reference to clearly identifiable acts in which they participated.

27. The grant of an injunction has utility. The Court cannot know what effect the grant of an injunction will have against “persons unknown”. But the fact that the threat actors have been prepared to engage in repeated criminal conduct through the original exfiltration, through the ransom demands and through the subsequent wrongful dealing with HWLE’s confidential information is a strong reason to grant the injunction. As this Court has more than once said, a reputation for wilful disobedience to the law does not confer immunity from injunctions: Vincent v Peacock [1973] 1 NSWLR 466 at 468G. As HWLE submit, whatever the effect of the injunction on the threat actors, the injunction will be useful for notification to potential publishers of the data to reinforce to such persons that they should not take any steps to frustrate the effectiveness of the Court’s orders: Grant-Taylor v Jamieson (2002) 11 BPR 21,023; [2002] NSWSC 634 at [9]–[15] per Barrett J. Moreover, the injunction will assist in limiting the dissemination of the exfiltrated material by enabling HWLE to inform online platforms, who are at risk of publishing the material, of the orders: see XXX v Persons Unknown [2022] EWHC 2776 (KB) (25 October 2022) at [22].

28. The Form of the Orders. During submissions the Court raised the issue of whether the orders should provide for what might happen if some of the defendants who are presently persons unknown, either self-identify or come to be identified by other circumstances. On the presently available evidence there is no compelling reason to expect that any of these defendants will be identified soon. But the possibility should be considered. It is not uncommon experience when default judgement is entered for a defendant later to seek to appear. If that does happen HWLE may wish to seek further relief against individuals who have been identified who presently falls in the class of “persons unknown”.

29. There are examples of cases dealing with this issue in relation to interlocutory proceedings in the United Kingdom and in Singapore. In the UK some years after interim orders were made against persons unknown, who were paparazzi harassing a celebrity, applications to join individuals were declined on the basis that there was no longer an active controversy: Stone v WXY [2012] EWHC 3184 (QB). But in Singapore where two persons who fell within a class of unnamed defendants were later identified, they were joined as individual defendants: CLM v CLN and Others [2022] SGHC 46. Final judgments against persons unknown have generally not provided for a mechanism for the joinder of later identified parties: see for example Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761 (KB).

30. The applicable rule UCPR r 6.24(1), gives the Court power to join as a party any person “whose joinder as a party is necessary to the determination of all matters in dispute in any proceedings”. Even if they are later identified, individuals who fall within the class of “persons unknown” as described in these reasons may not need to be “joined as a party”, as strictly speaking they are already defendants. But to the extent that supplementary specific relief were to be sought against those individuals they would need to be individually joined as named defendants, to distinguish them from the rest of the “persons unknown” for the purpose of granting such additional relief.

31. Differing views have been expressed over the years about whether the Court has power to join parties after final judgment on the merits. In State Bank of New South Wales Limited v N.A. Macdonald (Unreported, Cole J, 17 January1992, BC9202104 at 3) Cole J declined to do so. In Jacek Gnych v Polish Club Limited [2016] NSWSC 987 Rein J made such an order. But this is a default judgment, which of its nature should allow greater flexibility in dealing with later identified parties.

32. But were HWLE to seek additional relief against identified individuals in the future, then UCPR r 6.24(1) would be engaged. To avoid unnecessary future argument about the power that is available to deal with a claim for additional relief against identified individuals, the better course is to reserve for further consideration the possible joinder of individual defendants and not just to grant liberty to apply relating to the working out of the existing orders: Australian Hardboards Ltd v Hudson Investment Group Ltd [2007] NSWCA 104 at [71]-[74] per Young CJ in Equity. The orders made below take this course, adapting an effective draft suggested by Mr Maltz of counsel.

33. Finally, the question arose as to whether, if any of the persons unknown later come to be identified, HWLE should be under a duty to approach the Court. But in the ordinary case this is a matter for a plaintiff to decide based on whether supplementary relief is to be sought against those individuals. This case should be treated the same way as the ordinary case. The Court will not impose such a duty.

Conclusions and orders

44. For these reasons the Court makes the following orders:

1. The Plaintiffs are granted leave to proceed pursuant to UCPR, r 11.8AA.

2. The Defendants as defined below (and any other third party in possession of the Impacted Dataset that is made aware of these orders) is restrained from:

1. placing material copied from the Impacted Dataset (defined below) at any location accessible via the internet;

2. transmitting, publishing or disclosing information copied from the Impacted Dataset to any person or facilitating such steps;

3. using (including viewing) any information obtained from the Impacted Dataset already in their possession for any purpose, other than for the purpose of obtaining legal advice in connection with these orders; and

4. promoting, or publishing any links to, locations from which the Impacted Dataset may be able to be downloaded,

5. without the Plaintiffs’ written consent.

3. For the avoidance of doubt, nothing in these orders prevents the Defendants or any other person from publishing, communicating, or disclosing such of the Impacted Dataset which was already in or thereafter comes into the public domain (other than as a result of a breach of interlocutory or final orders made by the Court in these proceedings).

4. Order the defendants pay the plaintiff’s costs of these proceedings.

5. The Court reserves to the applicants liberty to apply to seek to join as a named defendant in these proceedings any person falling within the definition of ‘Persons Unknown’, so as to bind that person by name for the purpose of seeking further relief against that person in addition to the relief already granted against that person as a member of the defined class of Persons Unknown.

6. The following expressions in these orders have the following meanings:

1. “the Defendants” means those persons who carried out or participated in the unauthorised exfiltration of computer files from the plaintiff’s file storage systems, as alleged in paragraph 2 and 3 of the statement of claim in these proceedings – reproduced in the schedule below; and

2. “the Impacted Dataset” means the HWLE data which was exfiltrated as alleged in paragraph 4 of the statement of claim in these proceedings – reproduced in the schedule below.

THE SCHEDULE

“Paragraphs 2,3 and 4 of the statement of claim in these proceedings are reproduced as follows:

Data held by HWLE

2)   HWLE operates storage systems, including computer systems known as ‘servers’ (HWLE Servers), which store files (HWLE Data).

The Impacted Dataset was exfiltrated to the Defendants in circumstances which impose an obligation of confidence on them

3)   Sometime prior to 26 April 2023, one or more persons whose names are not known (being the Persons Unknown named as the Defendants) carried out or participated in the unauthorised exfiltration of computer files from the HWLE Servers.

Particulars of identity

The Persons Unknown identity themselves as part of a criminal enterprise known as ‘ALPHV’ or ‘BlackCat’.

4)    The HWLE Data which was exfiltrated (the Impacted Dataset) was located on a computerised server labelled ‘MELFS2’ and which was segmented into the following parts referred to as ‘Drives’):

(a)   ‘Precedents Drive’, which stored precedent libraries and client reporting material and was utilised primarily by HWLE’s Finance, Human Resources and IT staff.

(b)   ‘Groups Drive’, which was used for short term storage of large or bulk files by all staff in relation to specific matters. It also contained materials scanned from printers.

(c)   ‘Home Drive’ which was the collection of the individual folders of files on the individual desktops of all employees known as the ‘Desktop’, ‘Download’, and ‘Document’ folders. This Drive therefore also contains information relating to employee’s personal matters, together with client and HWLE-specific data.

(d)   ‘Long Term Drive’ which was a storage location primarily used for large or bulk files requiring long-term storage in relation to specific matters.”

Amendments

12 February 2024 - typographical error to counsel's surname, corrected on coversheet and in paragraph [2].

12 February 2024 - Case title, typographical error

Decision last updated: 12 February 2024