The University of Notre Dame Australia v Persons Unknown

Case

[2025] NSWSC 550

29 May 2025

No judgment structure available for this case.

Supreme Court


New South Wales

  • Amendment notes
Medium Neutral Citation: The University of Notre Dame Australia v Persons Unknown [2025] NSWSC 550
Hearing dates: 6 May 2025
Date of orders: 29 May 2025
Decision date: 29 May 2025
Jurisdiction:Equity - Applications List
Before: Brereton J
Decision:

See [60]

Catchwords:

EQUITY – Equitable remedies – injunctions – where the plaintiff seeks leave to proceed pursuant to UCPR r 11.8AA – where the plaintiff seeks final relief by way of default judgment - where defendants’ names unknown but defendants involved in clearly identifiable acts – injunctive relief ordered against such “persons unknown” – non-publication and suppression orders.

Legislation Cited:

Court Suppression and Non-publication Orders Act 2010 (NSW)

Supreme Court Rules 1970 (NSW)

University of Notre Dame Australia Act 1989 (WA)

Uniform Civil Procedure Rules 2005 (NSW)

Cases Cited:

Agar v Hyde (2000) 201 CLR 552; [2000] HCA 41

Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761

Bulldogs Rugby League Club Ltd v Williams [2008] NSWSC 822

DRJ v Commissioner of Victims Rights [2020] NSWCA 136

HWL Ebsworth Lawyers v Persons Unknown (2024) 113 NSWLR 418; [2024] NSWSC 71

Lord Ashburton v Pape [1913] 2 Ch 469

Moorgate Tobacco Co Ltd v Philip Morris Ltd (No 2) (1984) 156 CLR 414; [1984] HCA 73

Rossiter v Core Mining Ltd [2015] NSWSC 360

Sigalla v TZ Ltd [2011] NSWCA 334

Western Sydney Local Health District v Jaca [2017] NSWSC 1626

X v Twitter Inc (2017) 95 NSWLR 301; [2017] NSWSC 1300

X v Y & Z [2017] NSWSC 1214

Texts Cited:

N.A.

Category:Principal judgment
Parties: The University of Notre Dame Australia (plaintiff)
Persons Unknown (as defined in the statement of claim) (defendant)
Representation:

Counsel:
T Maltz (plaintiff)
No other appearances

Solicitors:
[redacted] (plaintiff)
File Number(s): 2025/64219
Publication restriction: Yes

JUDGMENT

Background

  1. This is an application for leave to proceed and for default judgment against defendants who have not been personally named because their identities are unknown. I set out in the following paragraphs some background factual matters that have been established on evidence that has not been challenged.

  2. The University of Notre Dame Australia is a national Catholic university. It is a body corporate established by the University of Notre Dame Australia Act 1989 (WA). The University has become the victim of an extortion attempt. In January this year, in excess of 60 GBs of data, comprising some 60,000 files, were stolen by unnamed extortionists. Many of the files contain confidential information concerning the University’s internal operations, as well as the records of students, staff and faculty members.

  3. The extortionists operate under the name “Fog”, who I will refer to as the threat actor. It is not certain whether there is just one person who is seeking to extort money from the University or whether there are multiple persons involved. The evidence suggests there is more than one person. There is evidence that the members of Fog are likely to reside in the United States and countries throughout Europe.

  4. On 25 January 2025, a ransom note was discovered on the University’s computer system. The message included the following: “If you are reading this, then you have been the victim of a cyber-attack. We call ourselves Fog and we take responsibility for this incident”. The note indicated that to contact Fog, so as to “communicate safely”, it was necessary to have the TOR browser installed, to follow a link that was provided and then enter a particular code. There is evidence that a link in the ransom note leads to a data leak site run by Fog that is used to publish the names and captured data of victims if they fail to pay the ransom. The publication occurs on the “dark web”, which is a part of the internet that is not readily accessible by everyday individuals.

  5. The University engaged [redacted], a forensic investigation expert, and [redacted], a threat intelligence provider, to assist the University to address the cyber-attack.

  6. With the assistance of the threat intelligence provider, the University opened the line of communication via the link provided by the threat actor. The forensic investigation expert was able to confirm that data had been exfiltrated from the University’s computer servers by the threat actor, although it has not been able to verify what data has been exfiltrated.

  7. On 4 February 2025, the threat actor communicated an initial ransom demand. It was in the following terms: “Bosses demand is 1.2mil usd. you lost many personal files”.

  8. On 12 February 2025, the threat actor posted on its data leak site, identifying the University as a victim. The post alleged that it had extracted 62.2 GBs of data, containing employee and customer contacts, student medical documents as well as confidential agreements, licenses and nondisclosure agreements.

  9. The students who attend the University, and the faculty and staff who work there, entrust the University with confidential information and engage in confidential communications with the University about personal and educational matters. The University sought to curtail the damage, and prospective damage, that will be suffered by the University, students, faculty and staff by the unauthorised dissemination of confidential information by commencing proceedings in this Court on 18 February 2025.

  10. The University obtained urgent ex parte interlocutory injunctive relief from the Court on 18 February 2025 against “persons unknown”. The interlocutory injunction was extended by the Court on 20 February 2025 and it remains in place.

  11. To date, the University has not paid any ransom. As far as the University is aware, the threat actor has not carried out the threat to publish any of the exfiltrated data. There have been media reports of the fact of the incident.

  12. By notice of motion filed on 7 April 2025, the University seeks leave to proceed pursuant to UCPR r 11.8AA and final relief by way of default judgment pursuant to UCPR r 16.10 against the defendants, who are referred to as “Persons Unknown”.

  13. For the reasons that follow, I will give leave to proceed and default judgment.

  14. The circumstances of this case are similar to those considered by Slattery J in HWL Ebsworth Lawyers v Persons Unknown (2024) 113 NSWLR 418; [2024] NSWSC 71. The clear articulation of principle in that matter is of considerable assistance, relieving me of the task of setting out the relevant principles in detail, and enabling me to be relatively brief in giving my reasons. There are some minor departures from what was ordered in that case, which I address in the reasons below.

Leave to proceed

  1. On 18 February 2025, Williams J made orders for substituted service. Pursuant to those orders, the filed (redacted) statement of claim, supporting affidavits and other documents were served. Service occurred in accordance with those orders by sending the documents using the TOR browser in the link provided by the ransom note. The communication included a Dropbox link permitting the redacted documents to be downloaded. The Court can be satisfied that the communication was successful because there was a response with the message: “i see ok”.

  2. On 20 February 2025, the interlocutory orders made on that day were served via the TOR browser. There was a response as follows: “no I am not interested”.

  3. On 21 February 2025, the threat intelligence provider re-served the redacted statement of claim and served a customised Form 161 notice. A Form 161 notice must be served when an originating process is served on a defendant who is ordinarily resident outside of Australia – see UCPR r 11.7. The form was re-served because the notice served on 18 February 2025 had not been completed properly; in particular, it failed to identify the grounds alleged by the University to support its claim to be entitled to serve the defendants outside Australia. The 21 February 2025 communication provoked the following response: “ok”.

  4. The location of the defendants is unknown. It is likely, however, that they are outside Australia. The University has proceeded on that basis and it is appropriate that it has done so.

  5. UCPR r 11.8AA provides as follows:

(1)     If an originating process is served on a person outside Australia and the person does not enter an appearance, the party serving the document may not proceed against the person served except by leave of the court.

(2)     An application for leave under subrule (1) may be made without serving notice of the application on the person served with the originating process.

  1. It follows that the first thing the University requires before it can obtain default judgment is leave to proceed.

  2. UCPR r 11.8 provides:

Except when the court otherwise orders, a defendant who has been served outside of Australia must file an appearance within 42 days from the date of service.

  1. I am satisfied that the defendants have been served with the statement of claim in accordance with the orders of the Court and have notice of the claim. They were first served on 18 February 2025 (and again on 21 February 2025) and had 42 days to file an appearance. No appearance has been filed.

  2. The statement of claim gave notice to the defendants that if they did not file a defence within 28 days of being served, they will be in default and the Court may enter judgment against them without any further notice. It seems peculiar that a defendant served outside Australia has 28 days to file a defence but 42 days to file an appearance, but that does not matter for present purposes.

  3. The notice of motion filed on 7 April 2025 has not been served. In HWL Ebsworth, the notice of motion for the entry of default judgment was served in accordance with orders of the Court (see [24]). However, UCPR r 11.8AA(2) expressly provides that an application for leave under r 11.8AA(1) may be made without notice. Furthermore, r 16.3(1A) provides that an application for default judgment need not be served on the defendant. It is appropriate for the Court to proceed on the present application notwithstanding that the notice of motion has not been served.

  4. There is a question about whether there are other matters that must be established by the University in order to be granted leave to proceed. In Bulldogs Rugby League Club Ltd v Williams [2008] NSWSC 822, Austin J referred to the decision in Agar v Hyde (2000) 201 CLR 552 and said (at [29]) that: “Other cases – and Agar v Hyde itself – indicate that there are essentially four matters to consider in an application for leave under r 11.4” (r 11.4 was relevantly in the same terms of what is now r 11.8AA). The “four matters”, addressed at [30]-[34], were: (1) proof of proper service; (2) whether the claim falls within Schedule 6 of the UCPR; (3) whether the plaintiff has an arguable case; and (4) whether the local forum is “clearly inappropriate” and there is some other forum that is more appropriate. The same four matters were identified in Rossiter v Core Mining Ltd [2015] NSWSC 360 at [11] and Western Sydney Local Health District v Jaca [2017] NSWSC 1626 at [5].

  5. I have difficulties seeing how those three decisions are consistent with the reasons of the plurality in Agar v Hyde. In those reasons, the plurality pointed out at [53] that it is necessary to recall “that there are different issues raised on the hearing of an application for leave to proceed from those that arise on the hearing of applications to set aside service or to decline to exercise jurisdiction”.

  6. Their Honours identified the issues raised on the hearing of an application for leave to proceed at [54] as follows:

Central to the inquiry on an application for leave to proceed is whether the originating process makes claims of a kind which one or more of the paragraphs in Pt 10 r 1A mention. If the originating process makes such a claim, r 1A provides that the process may be served outside Australia and, on proof of service of the process, the court’s jurisdiction is, prima facie, properly invoked over the party who has been served. In the absence of some countervailing consideration, leave to proceed should then be given.

Pt 10 r 1A of the Supreme Court Rules 1970 (NSW) at the time provided for service of originating process (without leave) in particular circumstances. It has been replaced by UCPR r 11.4 (with Schedule 6), which essentially operates in the same way. UCPR r 11.4(1) provides that: “Originating process may be served outside of Australia without leave in the circumstances referred to in Schedule 6”. At the time of the decision in Agar v Hyde, Pt 10 r 2 concerned leave to proceed, which is now addressed in similar terms by UCPR r 11.8AA.

  1. In Agar v Hyde at [55], the plurality’s reasons move to the different issues that arise in an application to set aside service, or an application to have the Court decline to exercise jurisdiction. That is where the reasons identify matters (2) to (4) that Austin J addresses in Bulldogs Rugby League Club v Williams at [30]-[34], although not as an “exhaustive description”. Paragraph 55 addresses applications under Pt 10 r 6A, which concerned orders setting aside an originating process. One matter the rule expressly provided for as a ground for setting aside an originating process was that “this Court is an inappropriate forum for the trial of the proceedings”. This is now the subject of UCPR r 11.6, which provides as follows:

(1)    On application by a person on whom an originating process has been served outside of Australia, the court may dismiss or stay the proceeding or set aside service of the originating process.

(2)    Without limiting subrule (1), the court may make an order under this rule if satisfied—

(a)    that service of the originating process is not authorised by these rules, or

(b)    that the court is an inappropriate forum for the trial of the proceeding, or

(c)    that the claim has insufficient prospects of success to warrant putting the person served outside Australia to the time, expense and trouble of defending the claim.

It can be seen that the matters addressed at r 11.6(2)(a)-(c) reflect the second to fourth matters identified in Bulldogs Rugby League Club v Williams as relevant on an application for leave to proceed.

  1. It also seems clear from [53] in Agar v Hyde that the plurality contemplated that on an application for leave to proceed that occurs without serving the notice of motion on the defendant, there is no occasion to consider any question about the strength of the plaintiff’s claim, which is hard to reconcile with matter (3) identified in Bulldogs Rugby League Club Ltd v Williams.

  2. On an application such as this one – where the defendant has not appeared and is not present, and where there is not going to be a trial, questions about the strength of the University’s claims do not appear to arise as a relevant consideration. It is also hard to see why questions of whether the Court is an inappropriate forum arise, especially in a case such as this one, where there is not going to be a trial. Generally speaking, the consideration of whether the forum is clearly inappropriate will focus on the oppression and vexation faced by the defendant who will be compelled to come to the local forum for the determination of the dispute. A defendant who has chosen not to appear, and so has chosen not to participate in the determination of the dispute, will not be oppressed or vexed by having to come to New South Wales.

  3. That is, in the reasons in Agar v Hyde at [54], the plurality was addressing the subject of applications for leave to proceed, which is now the subject of r 11.8AA. At [55], the plurality was addressing applications to set aside service, or to dismiss or stay the proceedings, which is now the subject of r 11.6. The four matters identified in Bulldogs Rugby League Club v Williams, Rossiter v Core Mining and Western Sydney Local Health District v Jaca are addressed by the plurality in Agar v Hyde in connection with an application to set aside service or to dismiss or stay the proceedings – not in connection with an application for leave to proceed.

  4. In my view, Agar v Hyde compels the conclusion that when the Court considers an application under r 11.8AA, leave should be granted if:

  1. there is proof of service;

  2. the Court is satisfied that the originating process, on its face, reveals that the claim engages r 11.4; and

  3. there are no apparent countervailing considerations that would cause the Court to exercise its discretion to decline to grant leave.

  1. In this case, there has been proof of service. The statement of claim seeks an injunction to compel or restrain the performance of any act in Australia, which engages r 11.4, because Schedule 6 row (d)(i) is engaged: see X v Y & Z [2017] NSWSC 1214 at [11]-[12]; X v Twitter Inc (2017) 95 NSWLR 301; [2017] NSWSC 1300 at [20]. The claim also relates to property in Australia, engaging Schedule 6(e): see HWL Ebsworth at [21]. I cannot see any countervailing considerations that suggest that leave should not be granted. There may be cases where Schedule 6 is engaged in a manner that can be said to be a merely colourable attempt to engage the jurisdiction the Court, in which case leave should not be granted. That is not the case here.

  2. I also observe that it was probably unnecessary for the University to satisfy the Court that the originating process, on its face, reveals that the claim engages r 11.4. That is because on 18 February 2025, the Court gave leave (should it have been required) for the statement of claim to be served pursuant to r 11.5 (which concerns service by leave when it is not allowed under Schedule 6).

  3. While it seems to me that having regard to the wording of r 11.8AA, and in light of the reasons in Agar v Hyde, I am not required to consider whether the plaintiff has an arguable case or whether the local forum is clearly inappropriate, I recognise that there is authority to the contrary (as noted above). Accordingly, I have considered whether the University has an arguable case and whether the local forum is clearly inappropriate. Having regard to the pleaded case and the evidence before me, the University has a strong case (see further below) and this Court is plainly an appropriate forum to seek to obtain injunctive relief in respect of conduct throughout Australia, including New South Wales. The University’s servers that were hacked included servers located in Sydney. The University also has a campus in Sydney. I would infer that there is a likelihood that at least some of the natural persons who are potentially affected by the exfiltration of data reside in New South Wales.

  4. Accordingly, I will grant leave under UCPR r 11.8AA for the University to proceed against the defendants.

Default judgment

  1. The next matter is whether the University should have default judgment.

  2. UCPR r 16.10 provides:

Whatever the plaintiff’s claims for relief against a defendant in default, the court may, on application by the plaintiff, give such judgment against the defendant as the plaintiff appears to be entitled to on his or her statement of claim.

Are the defendants in default?

  1. The first thing to consider is whether the defendants are “in default”.

  2. UCPR r 16.2(1)(a) relevantly defines “in default” as follows:

if the defendant fails to file a defence within the time limited by rule 14.3(1) or within such further time as the court allows

  1. UCPR r 14.3(1) provides:

Subject to these rules, the time limited for a defendant to file a defence is 28 days after service on the defendant of the statement of claim or such other time as the court directs for the filing of a defence.

The defendants can only be “in default” for failing to serve a defence if they have been served with the statement of claim. I have already addressed the question of service.

  1. More than 28 days has passed since the defendants were served. They are relevantly “in default”.

The relief to which the plaintiff appears to be entitled on its statement of claim

  1. Having secured leave to proceed, and having shown that the defendants are in default because no defence has been filed in accordance with UCPR r 14.3, under r 16.10, the Court may give such judgment against the defendants as the University appears to be entitled to on its statement of claim.

  2. The pleaded case, which is also supported by affidavit evidence, is a compelling one. It pleads that the defendants exfiltrated a large amount of data from the University’s servers located in New South Wales and Western Australia that is likely to contain confidential information. The defendants have attempted to extort the University, so far by a demand of USD$1,200,000. The extortion carries the threat that stolen confidential information will be publicised in some fashion. The statement of claim pleads:

Access to and dissemination of the Exfiltrated Dataset has the potential to cause irreparable detriment including:

(a)   distress, reputational harm, emotional harm and embarrassment to the individuals whose personal information is contained within the Exfiltrated Dataset, as well as possible exposure to further crimes.

(b)    financial, operational and reputational damage with respect to The University business.

  1. The statement of claim does not in terms plead a cause of action or identify a particular legal right that it seeks to vindicate. But that does not involve any criticism. UCPR r 14.7 requires the pleading to contain only a summary of the material facts on which the University relies. It is apparent that the University contends that the defendants hold information that is, or is likely, to be confidential to the University and others to whom the University owes duties of confidence, that the defendants hold this information without authorisation and they threaten to misuse the confidential information.

  2. The University seeks by these proceedings to protect the confidence in the information that has been taken. The pleaded case is that the defendants have sought to rely on the confidential nature of the information, taken without authorisation, to extort money from the University, and have taken steps to ensure their identity and location cannot be detected (revealing a consciousness of wrongdoing). It is a straightforward matter for a court of equity to conclude that the defendants would have an obligation of conscience to keep the information confidential: Moorgate Tobacco Co Ltd v Philip Morris Ltd (No 2) (1984) 156 CLR 414 at 438 per Deane J. It is unnecessary to focus keenly on the importance of the information; equity would respond to the surreptitious manner in which the information was obtained: Lord Ashburton v Pape [1913] 2 Ch 469 at 475. There is exclusive equitable jurisdiction to grant relief against a threatened abuse of confidential information. This case involves such a threatened abuse, because the attempted extortion depends upon it. Relief in similar circumstances was granted in HWL Ebsworth. See also Armstrong Watson LLP v Person(s) Unknown [2023] EWHC 1761.

  3. The University seeks relief against the defendants, who are Persons Unknown. The Persons Unknown are defined in the statement of claim as follows:

The Defendants are defined as any person or entity which (i) carried out, participated in or assisted in the exfiltration of some or all of the Plaintiff’s Impacted Dataset (defined below); or (ii) in respect of the Exfiltrated Dataset (defined below), communicated payment demands or threats to the Plaintiff (directly or indirectly), or posted some or all of the Exfiltrated Dataset online for sale .

As Slattery J observed in HWL Ebsworth at [33], proceedings against “persons unknown” have been taken in other jurisdictions to deal with data theft. It is a jurisdiction that can be exercised by this Court. The University has sought to define the class of unnamed defendants with as much precision as appears to be possible. It does not bring an impermissible claim of injunctive relief against the world at large. The class of defendants has been drafted with the same precision as the drafting that was accepted as appropriate in HWL Ebsworth.

Discretion

  1. The Court retains a discretion as to whether to give default judgment pursuant to UCPR r 16.10.

  2. I accept that the grant of an injunction has utility, for the same reasons it was considered to have utility in HWL Ebsworth. Whether an injunction will be obeyed by the defendants is not known. They have shown themselves to be willing to engage in criminal behaviour and their identities remain unknown. But a defendant’s disdain for legal process is not a reason for the Court to decline to exercise its jurisdiction. An injunction also has utility because it will be useful for notification to potential publishers of the data to reinforce that they should not take steps to frustrate the effectiveness of the Court’s orders. It will also enable the University to inform online platforms which are at risk of publishing the material of the orders.

  3. I see no reason why the discretion should not be exercised in the University’s favour. I would describe the University’s entitlement to injunctive relief on a default basis using the same word used by Collins Rice J in Armstrong Watson LLP v Person(s) Unknown at [22]. It is irresistible.

Form of orders

  1. The form of orders that the University seeks are similar to those made in HWL Ebsworth.

  2. There are two departures of note.

  3. The first is that the injunction in HWL Ebsworth was expressed as follows: “The Defendants as defined below (and any other third party in possession of the Impacted Dataset that is made aware of these orders) is restrained from…” As so framed, the injunction could be read as extending, from time to time, to third parties who are not parties to the proceedings. The University seeks an injunction in a more conventional form, as follows: “The Defendants (by themselves, their agents, or by any third party in possession of some or all the Exfiltrated Dataset) be restrained from…” This makes it clear that the injunction lies only against the defendants, but recognises that they may act through other persons. In Sigalla v TZ Ltd [2011] NSWCA 334, Young JA (with whom Macfarlan JA and Handley AJA agreed) observed (at [13]): “that when an order is made injuncting X by himself, his servants or agents, that that is not an order against the servants or agents but merely a warning that if they knowingly assist X in the breach of the injunction, they may be in trouble”. The words “or by any third party in possession of some or all the Exfiltrated Dataset” in the proposed order may be less conventional. However, it is appropriate in this case because it recognises the different ways that the defendants may act. It is common for injunctions to be expressed in terms on an injunction against persons “by their servants, agents or otherwise”. The wording of the injunction sought by the University gives more specific and helpful content compared with the more general words “or otherwise”. I consider the framing of the injunction as proposed by the University is preferable to the form of order made in HWL Ebsworth.

  4. The second is that the University seeks a mandatory injunction that: “The Defendants take all steps to immediately remove all and any of the Impacted Dataset (including the Exfiltrated Dataset) from all accessible internet locations (including, for the avoidance of doubt, from ‘dark web’ locations)”. No such order was made in HWL Ebsworth, although it appears that no such order was sought. Slattery J did not expressly decline to make such an order. There is no evidence that any of the Impacted Dataset is available on any accessible internet locations. However, the character of the extortion means that it is conceivable that some of the information is accessible to some extent in some locations, including the dark web. I am prepared to grant an order of this kind.

Non-publication and suppression orders

  1. On 18 February 2025, Williams J made a non-publication order pursuant to s 7(b) of the Court Suppression and Non-publication Orders Act 2010 (NSW). Those orders prohibited, until further order, the publishing of certain information that was included in documents that were served on the defendants. The redacted information comprised:

a.    all references to the names and identifying details and contact details of any person or firm (including deponents and lawyers/law firms) named in or on a document, other than: (i) the named identity of the Plaintiff; (ii) the Court contact details; and (iii) the Plaintiff’s contact email address; and

b.    any descriptions of the Plaintiff’s response to the incident, that discloses:

i.    the Plaintiff’s information security response to the incident including the technical containment and remediation measures it has implemented over the Plaintiff’s IT environment;

ii.   the Plaintiff’s negotiation strategy with the Threat Actor;

iii.    the identity of the cyber-security experts the Plaintiff has engaged to assist with the response to the incident; and

iv.   the concerns the Plaintiff has about the effects of public disclosure of the information and the identification of the confidential aspects of the Exfiltrated Dataset.

  1. The grounds for the order (see s 8(2) of the Suppression Act) were that:

  1. the order is necessary to protect the safety of persons;

  2. the order is necessary to prevent prejudice to the administration of justice; and

  3. the order is necessary in the public interest.

  1. The University seeks a final non-publication order under s 7(b) of the Suppression Act, extending the order made by Williams J on 18 February 2025. The application concerns the same information and relies on the same grounds. It seeks an order for a duration of 3 years. The University also submitted that if the Court decides to publish reasons, it would be proper to refrain from disclosing in the reasons matters that are the subject of the non-publication order: see DRJ v Commissioner of Victims Rights [2020] NSWCA 136 at [50]. The University seeks non-publication and suppression orders in relation to that information.

  2. I am not prepared to make any final orders under the Suppression Act at this time. There is a public interest in the publication of these reasons and I propose to publish them. However, in the first instance I will make the reasons available only to the University and will make interim non-publication and suppression orders pursuant to s 10 of the Suppression Act. I consider that interim orders are necessary to prevent prejudice to the administration of justice. I will give the University 7 days to identify those parts of the reasons that it contends are properly the subject of non-publication and suppression orders and to make an application for appropriate orders. That application should also extend to the balance of the material before the Court, identifying with precision, the material that is the subject of the application. I have in mind that the application will, for example, identify the specific parts of the affidavits that are to be the subject of the orders (rather than merely to describe the general character of the material that is the subject of the orders). It should not be assumed that the matters that were the subject of non-publication orders on 18 February 2025, in the context of urgent ex parte relief, will be presumed to be the proper subject of orders, given the passage of time and the circumstances that now exist. I propose to reconsider the manner in which the Suppression Act applies in this case.

  3. The question of final non-publication and suppression orders, including with respect to these reasons, will be addressed, afresh, and as a matter of urgency, by reference to that application.

Orders

  1. I make the following orders:

  1. The Plaintiff has leave to proceed against the Defendants.

  2. The Defendants (by themselves, their agents, or by any third party in possession of some or all of the Exfiltrated Dataset) be restrained from:

  1. placing further material from the Impacted Dataset (including the Exfiltrated Dataset) at any location on the internet;

  2. transmitting, publishing or disclosing any of the Impacted Dataset (including the Exfiltrated Dataset) to any person or facilitating such steps;

  3. using (including viewing) any information from the Impacted Dataset (including the Exfiltrated Dataset) already in their possession for any purpose, other than obtaining legal advice in connection with these Orders;

  4. promoting or publishing any links to locations from which the Impacted Dataset (including the Exfiltrated Dataset) may be able to be downloaded;

except with the Plaintiff’s written consent.

  1. The Defendants are to take all necessary steps to remove all and any of the Impacted Dataset (including the Exfiltrated Dataset) from all accessible internet locations (including, for the avoidance of doubt, from ‘dark web’ locations).

  2. Nothing in these Orders prevents the Defendants or any other person from publishing, communicating, using or disclosing such of the Impacted Dataset which is:

  1. lawfully in their possession other than as copied from the Exfiltrated Dataset; or

  2. already in or thereafter comes into the public domain;

in each case, other than as a result of a breach of the Orders made by the Court in these proceedings.

  1. (5) Pursuant to s 10 of the Court Suppression and Non-publication Orders Act2010 (NSW), the publication or disclosure of the Court's judgment of today’s date in this matter is prohibited, anywhere in Australia, pending the resolution of the application referred to in (6) below.

  2. (6)   The Plaintiff is to make any application for final orders it seeks under the Court Suppression and Non-publication Orders Act2010 (NSW) within 7 days. That application will be determined on the papers unless the Plaintiff, or any other interested person, specifically requests an oral hearing.

  3. (7)    The Defendants to pay the Plaintiff’s costs.

Note:    the definitions of “Confidential Categories”, "Persons Unknown" (being the Defendants), "Exfiltrated Dataset" and "Impacted Dataset" are set out in the statement of claim and are incorporated into these Orders below.

Definitions

The following expressions in these orders have the following meanings:

  1. “Confidential Categories” are defined in [5] of the statement of claim and are: (a) current student and alumni information and records; (b) employee and contractor information and records; and (c) The University's internal documents and communications.

  2. "Defendants", being the Persons Unknown is defined in [2] of the statement of claim as follows: The Defendants are defined as any person or entity which (i) carried out, participated in or assisted in the exfiltration of some or all of the Plaintiff's Impacted Dataset (defined below); or ii) in respect of the Exfiltrated Dataset (defined below), communicated payment demands or threats to the Plaintiff (directly or indirectly), or posted some or all of the Exfiltrated Dataset online for sale.

  3. “Exfiltrated Dataset” is defined in [6] of the statement of claim, as follows: a) that portion of the Plaintiff's Impacted Dataset obtained in an unauthorised manner by the Defendants (or any part thereof); and/or b) any data identified as the Plaintiff's data and as having been exfiltrated from the Plaintiff (or any part thereof), containing Confidential Categories of data.

  4. "Impacted Dataset" is defined in [4] of the statement of claim as follows: The term "Impacted Dataset" means the dataset which was accessed by the Defendants without authority, being a set of the Plaintiff's digital files stored or accessible on The University Servers including: a) four file servers: i. "BWMVFILE04" located in The University's Broadway campus; ii. "FRMVFILE04" located in The University's Freemantle campus; iii. "FRMVFILE05" located in The University's Freemantle campus; and iv. "FRMVFILE06" located in The University's Freemantle campus. b) one backup server: "FRMPPVEEAMO1" located in The University's Freemantle campus.

Addendum

  1. The plaintiff made an application for orders under the Court Suppression and Non-publication Orders Act pursuant to the order set out at [60(6)] above. On 24 June 2025 I made final orders under that Act.

  2. Those orders address particular parts of the evidence and submissions that were relied upon in these proceedings. In addition, non-publication orders were made in respect of these reasons. Relevantly for the purposes of these reasons, the non-publication orders extend to the identity of the following entities who were retained to assist the plaintiff in relation to the subject of these proceedings: (1) the forensic investigation expert, (2) the threat intelligence provider, and (3) the solicitors. The order is in operation for 3 years from 24 June 2025. A redacted form of the judgment will be published by the Court, consistently with those orders.

  3. A redacted form of the orders made today will also be published. The unredacted form of the orders will be maintained with the Court file.

**********

Amendments

30 May 2025 - See History

24 June 2025 - unredacted version uploaded

Decision last updated: 24 June 2025

Actions
Download as PDF Download as Word Document
Most Recent Citation
Elias v Smidt [2025] NSWSC 762
Cases Citing This Decision

1

Elias v Smidt [2025] NSWSC 762
Cases Cited

10

Statutory Material Cited

4

Agar v Hyde [2000] HCA 41
Agar v Hyde [2000] HCA 41
Agar v Hyde [2000] HCA 41