PML v Person(s) Unknown (responsible for demanding money from the Claimant on 27 February 2018)
Jurisdiction | England & Wales |
Judge | The Honourable,Mr Justice Nicklin |
Judgment Date | 17 April 2018 |
Neutral Citation | [2018] EWHC 838 (QB) |
Court | Queen's Bench Division |
Docket Number | Case No: HQ18M01069 |
Date | 17 April 2018 |
[2018] EWHC 838 (QB)
THE HONOURABLE Mr Justice Nicklin
Case No: HQ18M01069
IN THE HIGH COURT OF JUSTICE
QUEEN'S BENCH DIVISION
MEDIA & COMMUNICATIONS LIST
Royal Courts of Justice
Strand, London, WC2A 2LL
Adam Speker (instructed by Taylor Wessing LLP) for the Claimant
The Defendant(s) did not attend and was not represented
Hearing date: 11 April 2018
Judgment Approved
This is another blackmail case in the Media & Communications List. PML is a UK company. In February 2018, its computers were secretly hacked and a very large quantity of data stolen. On 27 February 2018, the Defendant sent an email to three directors of the Claimant. Its terms were unsubtle and unambiguous:
“As an Executive Director you should know that your company's servers are hacked. All the information from your servers – documents… databases, reports client's databases, private documents, internal workflow, all correspondence in fine (sic) ALL the DATA has been copied, safely hidden and well protected. Proofs of my words attached below (some files which I could not ever possibly have)…
[details of a website which was hosting the stolen document was provided together with the login and password details (“the Cache Website”)]
I offer you a simple deal. All future business of the company depends upon this deal, as a result. You know, you have two ways:
(1) To pay. I delete all the data. I'll also explain how to prevent such attacks in future to be safe and we forget about each other, forever.
(2) Not to pay. And in this case, I publish all information in public. I think you will understand what happens next: the shares of the company will collapse; the company's credibility will be undermined; all contracts, documents, databases and all internal correspondence of the company – everything is going to be public. I can arrange it, no doubt. It's going to be the dead end for the reputation of your company.
There are simply no other ways. I won't be looking for any private buyer who can also pay me for this information. I don't need that. I will never contact you again, because I'll delete all the information, so you either pay me or the data goes in total public access.
As for guarantees, I act as a private person and money is all I interested in (sic). As soon as I receive money, I will delete the data and forget about your company, as I said, I don't care about it. So, you'll never hear from me again. I will not try to resell the data, because it's very dangerous and may end badly for me, as a result.
Here are the terms:
The cost is 300,000 (three hundred thousand Great British Pounds) paid via Bitcoin money system. Deadline – 2 weeks. (The term is based on life experience. It is enough time to verify that the data is really mine, hold meetings and/or consult regarding this matter (if necessary) and finally buy enough Bitcoin coins). In 2 weeks time, if I won't receive the money (sic) I post the data in public access (available for anyone in the world), as it is written below. I can't accept a delay if there's no VERY reasonable cause.
P.S.
1) Please do not try to close the server with the data, it's just a mirror, as a proxy, it will not help you. Data is securely archived, hidden and protected.
2) Please do not make any noise; any appeal to the police, the Europol or anything else will cause an immediate publication of ALL the Information.
I will explain how it will look like.
[details are given of how the Defendant threatened to release the Claimant's data via various forums and portals, week by week]
3) So, please, do not pretend that I do not exist, do not ignore me or break the deadlines. It will simply cause the publication of all the information. You will also incur huge losses and I will go further.
4) Nothing personal – just business…
Best regards. [name redacted]”
The email attached a selection of different documents which appeared to have come from the Claimant's computer systems. The Claimant's investigations established that someone had hacked into the Claimant's servers and extracted information and data. The threat in the email appeared to be genuine.
The Claimant reported the matter to the police immediately. Their investigations are ongoing.
Email communications between the Claimant and the Defendant continued through early March. In summary, the Claimant had no intention of paying the sum demanded but, by requesting extensions of the deadline and assurances as to the promise to delete the data if the money was paid, kept the Defendant engaged. After the expiry of one of the revised deadlines, the Defendant increased the sum he demanded to £350,000. The Defendant also threatened to start looking for buyers for the stolen data. He did, however, offer to accept payment in instalments.
On 21 March 2018, the Claimant applied to the Court, without notice to the Defendant, for an interim non-disclosure order to restrain the threatened breach of confidence and for delivery-up and/or destruction of the stolen data. The application came before Bryan J as interim applications Judge. The Judge sat in private, granted the injunction and made a series of further orders including anonymising the Claimant and restricting access to the Court file (“the Injunction Order”). Bryan J gave an extempore judgment. He was satisfied that the requirements of s.12(3) Human Rights Act 1998 were met (i.e. that the Claimant was likely to demonstrate at trial that publication of the stolen documents would not be allowed). He was also satisfied that under s.12(2) the fact that the Claimant appeared to be a victim of blackmail and that there was a risk that, were the Defendant to be given notice of the application, he would publish the information, were compelling reasons why the Defendant had not been notified. Finally, the Judge was satisfied that the Claimant, as an apparent victim of blackmail, ought to be anonymised ( ZAM v CFM and TFW [2013] EWHC 662 (QB) [39]–[41] and [44] per Tugendhat J; LJY v Person(s) unknown [2017] EWHC 3230 (QB) [2] per Warby J). The injunction was granted until a return day fixed for 11 April 2018.
The Injunction Order was served on the Defendant at 11am on 23 March 2018 using the only method available, the email account from which he had been corresponding with the Claimant. The Defendant replied at 11.09, defiantly: “ you made [your] choice, I make my own. On Monday the information will be published. Good luck”. At 14.06 he emailed to state that he had removed the password protection on the Cache Website thereby allowing...
To continue reading
Request your trial-
CMOC Sales & Marketing Ltd v Person Unknown and 30 others
...unless they were paid a ransom; see, for example, the decision of Mr Justice Nicklin in PML v Person(s) Unknown (responsible for demanding money from the Claimant on 27 February 2018) [2018] EWHC 838 (QB) and that of Mr Justice Warby in Clarkson Plc v Person or Persons Unknown (who has or ......
-
AA v Persons Unknown
...AC 1175. Norwich Pharmacal Co v C & E Commrs [1974] AC 133. NPV v QEL [2018] EWHC 703 (QB); [2018] EMLR 20. PML v Persons Unknown [2018] EWHC 838 (QB). Polly Peck International plc v Nadir (No. 2) [1992] 4 All ER 769. Robertson v Persons Unknown (unreported, 15 July 2019, Moulder J). Scott ......
-
Armstrong Watson LLP v Person(s) Unknown responsible for obtaining data from the Applicant's IT systems on or about 28 February to 6 March 2023 and/or who has disclosed or is intending or threatening to disclose the information thereby obtained
...that it is appropriate to proceed, in the first instance, without notifying the defendant: see, for instance: PML v Persons Unknown [2018] EWHC 838 (QB) (‘ PML’), at para. 5; and The Ince Group plc v Person(s) Unknown [2022] EWHC 808 (QB) (‘ Ince’), at para. 14 In addition providing notic......
-
ZSCHIMMER & SCHWARZ GMBH & CO. KG CHEMISCHE FABRIKEN vs PERSONS UNKNOWN
...or Persons Unknown [2016] EWHC 2354 (QB), [2016] All ER (D) 85 (Sep) (theft of information by hackers); PML v Person(s) Unknown [2018] EWHC 838 (QB) (hacking and blackmail); CMOC v Persons Unknown [2017] EWHC 3599 (Comm), [2017] All ER (D) 180 (Oct) (hacking and theft of funds). Cases decid......
-
Cybercrime and blackmail – court remedies and GDPR
...the fight against cybercrime: Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 (QB), 7 March 2018 and PML v Person(s) Unknown [2018] EWHC 838 (QB), 17 April 2018 Cyber-blackmail In both cases, the claimant companies were hacked by unknown individual(s) who had gained unauthorised ac......
-
Professional Negligence Claims Arising Out Of GDPR
...steps that can be taken were illustrated last week in PML v Persons Unknown (responsible for demanding money from the Claimant) [2018] EWHC 838 (QB), where Nicklin J granted an injunction against unnamed hackers, which could then be used to prevent third parties publishing the Issues are li......
-
Cyberattack - remedies against anonymous hackers
...embrace mechanisms in order to allow victims of cyber crime to pursue effective legal remedies. Footnotes: 1 PML v Person(s) Unknown [2018] EWHC 838 (QB). 2 Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 3 [2018] EWHC 2674 (QB). 4 eDate Advertising GmbH v X (Cases C-509/09 and C-1......