Hunton Andrews Kurth writes:
On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant’s identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach.
The claimant provided technology services and its databases contained information concerning various “security-sensitive and highly classified projects of national significance.” The unknown defendant sent a ransom note stating they had downloaded the claimant’s databases and servers and had encrypted some of the claimant’s files. The hackers demanded over U.S. six million in exchange for decryption and non-disclosure of the information via e-mail. The affected data was made up of three main categories: (1) security sensitive; (2) commercially sensitive; and (3) personal data.
Read more at Privacy & Information Security Law Blog.
So a victim of a cyberattack being threatened with exposure of their data can seek and obtain an injunction without having their identity revealed in court. While that sounds reasonable in terms of providing the claimant/victim some protection from reputation harm, how does it really help when it is not going to stop threat actors from dumping data? When data breaches and dumps are reported and discussed globally, how much help is this approach?