[BreachExchange] Businesses are using injunctions to stop hackers publishing secrets

Thu Apr 19 18:01:18 EDT 2018

http://www.wired.co.uk/article/hacker-law-injunction-stop-publish-data

"Do not pretend that I do not exist, do not ignore me or break the
deadlines," was the message from one unknown hacker to a British company
targeted in February 2018. The person stole a "very large quantity of data".

Both the hacker and the hacked company are the subject of a High Court
injunction. The legal ruling from judge Matthew Nicklin, has been taken out
to stop the company being named and prohibits hacked data from being stolen.

The case gives an insight into one hacker's demands to a company and how it
responded. It is the latest in a number of injunctions being taken out by
companies that are looking to protect information that has been stolen from
their servers.

"This case is a good illustration of what can be done to tackle cyber
crime," says Hugo Plowman, a partner at law firm Mishcon de Reya. "The
courts do try to keep pace with an ever-changing world of technological
advances. And the law does have teeth."

The hacker – who the company has not been able to identify – emailed three
directors telling them their information had been stolen. "All the
information from your servers – documents... databases, reports client's
databases, private documents, internal workflow, all correspondence in fine
[sic] ALL the DATA has been copied, safely hidden and well protected," the
initial email to the company read.

The hacker then demanded a payment of £300,000, in bitcoin, should be made
in two weeks. This was later raised to £350,000 after the company stalled.
If the company didn't pay up the files would be released publicly, with the
intention of embarrassing the unnamed company (which has been given the
acronym PML).

If the company paid, the hacker claimed, the data would be deleted. "Money
is all I interested in [sic]," the initial email from the hacker continued.
The person then politely – using "please" – asked the company not to
contact the police, Europol or other investigatory bodies.

PML ignored the plea and contacted law enforcement, while also starting
legal proceedings. The injunction it obtained says information gained from
the hack shouldn't be published, as it would be a breach of confidence.
Nicklin's court judgement says the firm was a "victim of blackmail" and
could use legal powers to order web hosting companies to remove any data
the hacker tried to publish.

In March, the hacker took a password protection off the stolen documents
and also published details of them on a number of websites and forums. "The
Claimant served the Order on the company hosting the financial forum and
the relevant posts were removed," the court documents read. "The operators
of the website hosting the documents themselves also removed them."

When the documents were hosted on a server in another country, a legal
notice was issued to get the documents taken down. "In this case, it didn't
matter where the hacker may be located," Plowman says. "The court can and
will try cases in this country if the harm is suffered here or the
offending act takes place here as will often be the case if you are the
victim of a hack in this country."

Before the court hearing, on April 11, the hacker threatened to publish the
company's information elsewhere but may also have realised they weren't
going to get paid. As a result they dropped the asking price to £100,000.
One message read, "Nothing personal – just business".

In March, shipping company Clarksons PLC took out an injunction against
other unknown cybercriminals to stop them from publishing data stolen from
its IT systems. Clarksons publicly admitted in November last year that it
had been hacked. The company refused to pay a ransom and information
seemingly never was published online by those blackmailing the firm.

Elsewhere, it is becoming increasingly common for companies to threaten
legal action against legitimate cybersecurity researchers and journalists
reporting on stories. As ZDNet has reported, two cybersecurity reporters
and one researcher have had legal proceedings started against them for
reporting flaws in products and services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180419/449958f0/attachment.html>