Your World of Legal Intelligence
 United Kingdom | +44 (0) 20 7284 8080

PML v Person(s) Unknown (responsible for demanding money from the Claimant on 27 February 2018)

Judgment Cited authorities 8 Cited in 15 Precedent Map Related
Vincent
JurisdictionEngland & Wales
JudgeThe Honourable,Mr Justice Nicklin
Judgment Date17 April 2018
Neutral Citation[2018] EWHC 838 (QB)
CourtQueen's Bench Division
Docket NumberCase No: HQ18M01069
Date17 April 2018
Categories
Between:
PML
Claimant
and
Person(s) Unknown (responsible for demanding money from the Claimant on 27 February 2018)
Defendant

[2018] EWHC 838 (QB)

Before:

THE HONOURABLE Mr Justice Nicklin

Case No: HQ18M01069

IN THE HIGH COURT OF JUSTICE

QUEEN'S BENCH DIVISION

MEDIA & COMMUNICATIONS LIST

Royal Courts of Justice

Strand, London, WC2A 2LL

Adam Speker (instructed by Taylor Wessing LLP) for the Claimant

The Defendant(s) did not attend and was not represented

Hearing date: 11 April 2018

Judgment Approved

Mr Justice Nicklin The Honourable
1

This is another blackmail case in the Media & Communications List. PML is a UK company. In February 2018, its computers were secretly hacked and a very large quantity of data stolen. On 27 February 2018, the Defendant sent an email to three directors of the Claimant. Its terms were unsubtle and unambiguous:

“As an Executive Director you should know that your company's servers are hacked. All the information from your servers – documents… databases, reports client's databases, private documents, internal workflow, all correspondence in fine (sic) ALL the DATA has been copied, safely hidden and well protected. Proofs of my words attached below (some files which I could not ever possibly have)…

[details of a website which was hosting the stolen document was provided together with the login and password details (“the Cache Website”)]

I offer you a simple deal. All future business of the company depends upon this deal, as a result. You know, you have two ways:

(1) To pay. I delete all the data. I'll also explain how to prevent such attacks in future to be safe and we forget about each other, forever.

(2) Not to pay. And in this case, I publish all information in public. I think you will understand what happens next: the shares of the company will collapse; the company's credibility will be undermined; all contracts, documents, databases and all internal correspondence of the company – everything is going to be public. I can arrange it, no doubt. It's going to be the dead end for the reputation of your company.

There are simply no other ways. I won't be looking for any private buyer who can also pay me for this information. I don't need that. I will never contact you again, because I'll delete all the information, so you either pay me or the data goes in total public access.

As for guarantees, I act as a private person and money is all I interested in (sic). As soon as I receive money, I will delete the data and forget about your company, as I said, I don't care about it. So, you'll never hear from me again. I will not try to resell the data, because it's very dangerous and may end badly for me, as a result.

Here are the terms:

The cost is 300,000 (three hundred thousand Great British Pounds) paid via Bitcoin money system. Deadline – 2 weeks. (The term is based on life experience. It is enough time to verify that the data is really mine, hold meetings and/or consult regarding this matter (if necessary) and finally buy enough Bitcoin coins). In 2 weeks time, if I won't receive the money (sic) I post the data in public access (available for anyone in the world), as it is written below. I can't accept a delay if there's no VERY reasonable cause.

P.S.

1) Please do not try to close the server with the data, it's just a mirror, as a proxy, it will not help you. Data is securely archived, hidden and protected.

2) Please do not make any noise; any appeal to the police, the Europol or anything else will cause an immediate publication of ALL the Information.

I will explain how it will look like.

[details are given of how the Defendant threatened to release the Claimant's data via various forums and portals, week by week]

3) So, please, do not pretend that I do not exist, do not ignore me or break the deadlines. It will simply cause the publication of all the information. You will also incur huge losses and I will go further.

4) Nothing personal – just business…

Best regards. [name redacted]”

2

The email attached a selection of different documents which appeared to have come from the Claimant's computer systems. The Claimant's investigations established that someone had hacked into the Claimant's servers and extracted information and data. The threat in the email appeared to be genuine.

3

The Claimant reported the matter to the police immediately. Their investigations are ongoing.

4

Email communications between the Claimant and the Defendant continued through early March. In summary, the Claimant had no intention of paying the sum demanded but, by requesting extensions of the deadline and assurances as to the promise to delete the data if the money was paid, kept the Defendant engaged. After the expiry of one of the revised deadlines, the Defendant increased the sum he demanded to £350,000. The Defendant also threatened to start looking for buyers for the stolen data. He did, however, offer to accept payment in instalments.

5

On 21 March 2018, the Claimant applied to the Court, without notice to the Defendant, for an interim non-disclosure order to restrain the threatened breach of confidence and for delivery-up and/or destruction of the stolen data. The application came before Bryan J as interim applications Judge. The Judge sat in private, granted the injunction and made a series of further orders including anonymising the Claimant and restricting access to the Court file (“the Injunction Order”). Bryan J gave an extempore judgment. He was satisfied that the requirements of s.12(3) Human Rights Act 1998 were met (i.e. that the Claimant was likely to demonstrate at trial that publication of the stolen documents would not be allowed). He was also satisfied that under s.12(2) the fact that the Claimant appeared to be a victim of blackmail and that there was a risk that, were the Defendant to be given notice of the application, he would publish the information, were compelling reasons why the Defendant had not been notified. Finally, the Judge was satisfied that the Claimant, as an apparent victim of blackmail, ought to be anonymised ( ZAM v CFM and TFW [2013] EWHC 662 (QB) [39]–[41] and [44] per Tugendhat J; LJY v Person(s) unknown [2017] EWHC 3230 (QB) [2] per Warby J). The injunction was granted until a return day fixed for 11 April 2018.

6

The Injunction Order was served on the Defendant at 11am on 23 March 2018 using the only method available, the email account from which he had been corresponding with the Claimant. The Defendant replied at 11.09, defiantly: you made [your] choice, I make my own. On Monday the information will be published. Good luck”. At 14.06 he emailed to state that he had removed the password protection on the Cache Website thereby allowing...

To continue reading

Request your trial
7 cases
3 firm's commentaries
  • Cybercrime and blackmail – court remedies and GDPR
    • United Kingdom
    • JD Supra United Kingdom
    • 10 Mayo 2018
    ...the fight against cybercrime: Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 (QB), 7 March 2018 and PML v Person(s) Unknown [2018] EWHC 838 (QB), 17 April 2018 Cyber-blackmail In both cases, the claimant companies were hacked by unknown individual(s) who had gained unauthorised ac......
  • Professional Negligence Claims Arising Out Of GDPR
    • United Kingdom
    • Mondaq UK
    • 15 Mayo 2018
    ...steps that can be taken were illustrated last week in PML v Persons Unknown (responsible for demanding money from the Claimant) [2018] EWHC 838 (QB), where Nicklin J granted an injunction against unnamed hackers, which could then be used to prevent third parties publishing the Issues are li......
  • Cyberattack - remedies against anonymous hackers
    • United Kingdom
    • JD Supra United Kingdom
    • 30 Noviembre 2018
    ...embrace mechanisms in order to allow victims of cyber crime to pursue effective legal remedies. Footnotes: 1 PML v Person(s) Unknown [2018] EWHC 838 (QB). 2 Clarkson Plc v Person or Persons Unknown [2018] EWHC 417 3 [2018] EWHC 2674 (QB). 4 eDate Advertising GmbH v X (Cases C-509/09 and C-1......

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT