Confidential documents obtained from top-100 firm Ward Hadaway in a cyber attack were uploaded to the 'dark web' shortly after the firm obtained an interim injunction, the High Court heard today.
The firm was blackmailed for up to $6m (£4.75m) in bitcoin by an unidentified hacker, who said that files and data downloaded from its IT systems in March would be published online if $3m was not paid within a week, after which the ransom would double to $6m.
The hacker also sent Ward Hadaway a list of data and files claimed to have been copied in the attack. The list contained ‘a very large number of items’ – some of which were uploaded to the web in an encrypted form, the High Court was told.
Ward Hadaway was today granted a final injunction against ‘person or persons unknown responsible for engaging in a cyber attack on the [firm] … and/or who is threatening to release the information thereby obtained’, preventing the use or publication of the stolen data.
The court heard that the threat to Ward Hadaway is not just that ‘the threat actor is going to release the documents’, but that they may ‘sell it to someone else’ who may themselves attempt to extort money from the firm.
Mrs Justice Heather Williams said that the firm’s IT systems ‘hold a great deal of confidential information including personal data, some of which is sensitive personal data and information subject to legal professional privilege’.
‘The work that the claimant does includes acting for defendants in claims for damages for clinical negligence and in cases before the Court of Protection and therefore, inevitably, documents within its system reflect the work of that nature,’ she said.
The judge also said that, shortly after an interim injunction was granted in April, ‘a number of confidential files obtained from the claimant’s IT systems were uploaded to the dark web and made available for download’, adding: ‘I am informed that the documents included sensitive commercial information.’
She granted Ward Hadaway a final injunction, to be reviewed by the High Court in three years’ time, and entered default judgment against the defendant, who has played no part in the proceedings and whose identity is still unknown.
This article is now closed for comment.
9 Readers' comments