UK Court Issues John Doe Injunction Against Cyber Attacker

The High Court of Justice in the United Kingdom issued a permanent injunction against unnamed cyber attackers, at the request of a company that had sustained cyberattacks and whose name remains undisclosed under the court order. The court ruled that the plaintiff's anonymity must be preserved because releasing the company’s identity would advance the goals of the unnamed cyber attackers and harm the company’s business.

A John Doe injunction is rarely issued because it requires significant justification to outweigh the fundamental principle of the public's right to know. Yet companies in the United Kingdom can request a restraining order against attackers (such as cyber criminals) whose identities are not known and without publishing the company’s identity. The purpose of these John Doe injunctions is to prevent publications acknowledging that the attacker managed to access the company’s databases, prevent reputational harm, and dissuade the cyber attackers.

The company whose name remains undisclosed provides technological services. Its databases contain information about sensitive projects of national importance. The unknown attacker sent the company a ransom note announcing that they had stolen the company’s databases and encrypted some of the files. The attacker demanded a ransom of over 6 million dollars to decrypt the data and not disclose the information on the ‘dark web’. The company immediately sought and secured an injunction to enjoin the unnamed defendant from doing so.

The effectiveness of this kind of injunction is very limited considering that cyber offenders are not respectful of orders issued by His Majesty's courts.

Click here to read the full judgment of the UK High Court of Justice.