Opinion

Cyber-attack victim obtains injunction to prevent publication of stolen data

Published Date
Sep 6 2024
Following a high-profile cyber-attack earlier in the year which impacted the medical data of NHS patients, the English High Court granted Synnovis an interim injunction which prevents the publication of the stolen data. This stands as another example of a cyber-attack victim (and, on this occasion, a data processor) concluding that the circumstances of their case justified obtaining an injunction.

Background

Synnovis Services LLP (Synnovis) provides pathology-related laboratory services to customers including London hospital trusts (the Hospitals). On 3 June 2024, Synnovis suffered a serious ransomware attack which affected all of its systems and involved the theft of sensitive medical information. The attack disrupted Synnovis’ pathology services and, consequently, the activities of the Hospitals.

A ransomware group called Qilin claimed responsibility and left a ransom note on Synnovis’ encrypted systems. The note threatened to publish stolen data unless a ransom was paid. Some data from the cyber-attack was then published via Telegram and on a website called “Wikileaksv2” which was thought to be a clone site operated by the criminals responsible for the attack. Take down letters were sent to both Telegram and the host of Wikileaksv2 but neither responded.

The application

Synnovis applied for an interim injunction to prevent publication of the stolen data, accompanied by an “anti-hacking injunction” to prevent further unauthorised access to its systems, as well as orders for alternative service and derogation from open justice (i.e. a private hearing).

The judge granted the injunctions and other orders sought. Notably, the judge:

  • found that a private hearing was justified as there was a real risk of further or more widespread disclosure if the hearing was conducted in public;
  • reiterated the position from previous cases that the remote likelihood of those responsible complying was not a good reason to withhold an injunction;
  • allowed for service of the injunction by email to the address given by Qilin, as well as on Telegram and the host of Wikileaksv2; and
  • provided for any data controller whose data had been stolen to be able to apply to be joined as a claimant for the purposes of enforcing or seeking variations to the order or seeking further orders.

Comment

While practices vary from jurisdiction to jurisdiction, in England and Wales it is not currently standard practice for cyber-attack victims to apply for an injunction to prevent stolen data from being published. While there are examples of injunctions being sought and granted, sometimes with the benefit of an anonymity order, these have been exceptional and tend to have involved highly sensitive information. Other perceived benefits of obtaining an injunction in this type of scenario include that it makes take down requests more straightforward, and that it enables the victim to show customers, data controllers and data subjects that they have done everything possible to prevent further dissemination of their data.

In this case, the data was undoubtedly sensitive (medical information). As well as the profile of this incident, another factor that may have taken this outside the normal run of cases is that two parties with the ability to stop data being published had not done so, in spite of take down letters being sent and one of the parties (Telegram) being notified about the application. While there were, doubtless, good reasons for the approach taken here, in each case the benefits of seeking an injunction must be balanced against the disadvantages (for example, cost and publicity), always with the particular context of the case in mind.

Finally, it is worth emphasising that, in this case, it was the data processor (Synnovis) that went to the trouble of obtaining the injunction. While the data controllers (the Hospitals) could equally have obtained injunctions in relation to their data, the approach taken reflects the practical reality of the situation – namely, that it is the victim organisation with detailed knowledge of the incident and wider circumstances that typically takes the lead on actions of this nature.