A major Irish company has paid a ransomware demand after its data was hacked, the High Court has heard.
Nothing can be published which would identify or might identify the company because of fears of a repeat of the hacking or the damage identification would do to its business.
Mr Justice Mark Sanfey said if he was not to continue the anonymisation order, he would be doing just what the hackers had intended when they threatened to release the data they had hacked from the firm.
He was speaking during an application by Anthony Thuillier BL, for the company, for the continuation of orders obtained at a Sunday sitting of the court sitting last month just after the ransomware demand was made.
The case was before the court using the letters AAA for the company against “Persons Unknown Responsible for Demanding Money”, that is the hackers.
The judge agreed to continue the orders including anonymisation and preventing the dissemination or publicising of any of the stolen data by the hackers or anyone who receives it.
Mr Thuillier told the judge that since the case was last in court, the hackers had closed the portal, the ransom was paid, and the data returned.
One step ahead
His client was concerned that if its name was published it could be targeted by other cyber criminals because they now know “we are a mark”. Even though the company has put in place a system to try to prevent a recurrence, cyber criminals are often one step ahead, counsel said.
From a business point of view, the company did not want to be seen as weak or tainted. It had fought for its life and had no option but to give in, counsel said.
Another reason was that the hacking and payment would provide ammunition for competitors who could say to clients “come over to us, we have not been hacked” and there might be a question mark raised by competitors over the abilities of the (plaintiff) company, counsel said.
The judge noted counsel had said that if the anonymisation order was not continued, he would not be pressing for further orders. The principles in relation to that and engaged by this case were established by a Supreme Court decision in March 2017 (the Gilchrist case), he said.
Threat to destroy
It seemed to the judge the consequences of lack of anonymisation were exactly the sort of threat the hackers intimated when they said they would release the data publicly if the ransom was not paid. It was a threat to destroy the company because the hacking would affect its ability to do business with current and prospective clients, he said.
To refuse anonymity would not be doing justice to the company and would be “effectively facilitating” the threat of damage by the hackers, he said.
There had been no application for a full “in camera” hearing (where nothing could be reported) because the fact of the cyberattack on such a large company was a matter which should become known in the public interest, he said.
Following further submissions from Mr Thullier, the judge also ruled that anyone with knowledge of the orders relating to the exfiltration of the data from the company cannot publish it, host it or process it and must delete it.
Counsel said it would mean the company could immediately contact a platform like Google if any of the information was discovered on the web and point to the order and it would have to take it down. Tech companies normally comply with such requests if there is a court order in place, he said.
The judge gave liberty to anyone who believed they were affected by the orders relating to hosting or processing the data to come to court to make their case.