Australasian Automotive Business Solutions Ltd v Unknown Defendants

IN THE HIGH COURT OF NEW ZEALAND AUCKLAND REGISTRY I TE KŌTI MATUA O AOTEAROA TĀMAKI MAKAURAU ROHE

CIV-2024-404-345 [2024] NZHC 301

BETWEEN	AUSTRALASIAN AUTOMOTIVE BUSINESS SOLUTIONS LTD Plaintiff
AND	UNKNOWN DEFENDANTS Defendant

Judgment: (On the papers)

23 February 2024

JUDGMENT OF BREWER J

Solicitors:
Simpson Grierson (Auckland) for Plaintiff

AUSTRALASIAN AUTOMOTIVE BUSINESS SOLUTIONS v UNKNOWN DEFENDANTS [2024] NZHC

301 [23 February 2024]

[1]        Australasian Automotive Business Solutions Ltd as plaintiff applies without notice for an injunction against unknown defendants.

[2]        The background is that the plaintiff suffered a cyber-attack in or around early February 2024 which resulted in confidential client information being copied and extracted by the perpetrator (“the threat actor”).

[3]        The threat actor is attempting to blackmail the plaintiff. It has contacted the plaintiff and threatened to disclose the information copied and extracted (“Impacted Dataset”) if its ransom demands are not satisfied.

[4]I accept the submission:

9. There is credible threat and significant risk that some or the Impacted Dataset may be posted on the threat actor’s blog on the dark web, making the information available to the world at large. This risk continues even if a ransom is paid and appears nearly certain if the threat actor’s demands are not satisfied.

[5]I also accept the submission:

11. It is submitted that there is overwhelming public interest in providing protection to prevent (as much as possible) the Impacted Dataset from being accessed, reviewed, and disclosed.

[6]        There is ample precedent for restraining orders by way of injunction being issued against unknown defendants.1

[7]        Having read the affidavits of David Murdoch, Richard Johnston and Campbell McKenzie in support of the application, I am satisfied that the requirements for injunctive relief are made out. The plaintiff points to breach of confidence, but clearly if the computer hacking and subsequent blackmail are proved then there are other causes of action available.

1      Commerce Commission v Unknown Defendant(s) [2019] NZHC 2609, [2019] NZAR 1945, Slater v APN New Zealand Ltd [2014] NZHC 2157 and, more recently, Te Whatu Ora New Zealand v Unknown Defendants [2023] NZHC 71.

[8]        There is certainly a serious question to be tried and the balance of convenience clearly favours the granting of urgent without notice interim relief. The assessment of overall justice equally clearly favours the granting of relief.

[9]The orders sought are:

(a)Restraining all unknown defendants from accessing or performing any set of operations on the Impacted Dataset (defined below) or its contents, without the written consent of the plaintiff, including creating any derivation of, or using, accessing, collecting, searching, reviewing, copying, structuring, organising, adapting, retrieving, inputting, storing, broadcasting, publishing, sharing, making available to any members of the public, transferring, or disclosing any information, data or documentation, whether by manual or automated means, from the Impacted Dataset;

(b)Requiring all unknown defendants to permanently delete any and all copies of the Impacted Dataset or any information obtained from it in their possession or control, and provide an undertaking at the request of the plaintiffs that they have done so;

(c)Requiring all unknown defendants to permanently delete and take down any and all publications of or links to copies of the Impacted Dataset or any information obtained from it;

(d)For the avoidance of doubt, nothing in these orders prevents unknown defendants or any other person from using, or disclosing information included in the Impacted Dataset which was already in or subsequently comes into their possession lawfully and other than as a result of a breach of interim or permanent orders made by the Court in these proceedings;

(e)Reserving leave to any person impacted by these orders to apply to the Court for variation on three working days’ notice;

(f)Interim confidentiality and non-publication orders are made in respect of the affidavits filed in support of the application for interim relief;

(g)If any application to search the court file is made, the plaintiff is to be given notice and an opportunity to be heard;

(h)The following expressions in the orders sought to have the following meanings:

(i)“Unknown Defendants” means those persons currently unknown who carried out or participated in the unauthorised exfiltration of the Impacted Dataset from the plaintiff’s group of companies and one of its clients, Coombes Johnston European Limited, and any other third party who has obtained, or may seek to obtain access to the Impacted Dataset, or who have otherwise been provided with information from the Impacted Dataset.

(ii)“Impacted Dataset” means the data which was subject to unauthorised exfiltration from the computer systems of the plaintiff’s group of companies and Coombes Johnston European Limited by way of a cyber-attack on or around early February 2024.

[10]      Accordingly, the unknown defendants exclude the innocent and in any event leave is reserved to any person impacted by the orders to apply for variation.

Decision

[11]      The application for injunction without notice is granted. I make orders as applied for and set out in paragraph 1 of the application.

Brewer J