University College Union vs persons unknown

Introduction

The High Court has ruled in favour of the University College Union (UCU) in a significant case involving a ransomware cyber attack. The case, heard in the King's Bench Division, Media and Communications List, was brought against persons unknown who had unlawfully accessed and threatened to disclose confidential information from the UCU's IT systems.

Background

The University College Union, representing over 120,000 members across the UK, discovered a breach of its IT systems between 12 and 16 August 2024. The breach involved a ransomware attack where confidential information was obtained. On 16 August 2024, the UCU received a voicemail indicating that the attackers had access to the information, some of which was later found online.

Initial Proceedings

An urgent application for an interim injunction was made by the UCU without notice, which was heard by Richard Spearman KC, sitting as a deputy judge of the High Court on 16 October 2024. The interim injunction required the defendants to delete or destroy the information and provide a witness statement confirming compliance. Despite the order, the defendants did not engage with the proceedings.

Further Developments

On 14 November 2024, Hill J extended the injunction to trial and made an order for alternative service due to concerns about the effectiveness of initial service. The defendants were required to serve a defence by 12 December 2024, which they failed to do. Hill J noted that if the defendants continued to ignore the proceedings, the UCU would seek a default judgment.

Default Judgment Application

The UCU applied for a default judgment and a final injunction. The court determined the application without a hearing, noting that the defendants had not engaged with the proceedings despite being notified. The court found that the UCU had satisfied all procedural requirements for a default judgment.

Legal Analysis

The court considered the case under the principles of breach of confidence, noting that the information had the necessary quality of confidence, was obtained without consent, and was disclosed or threatened to be disclosed unlawfully. The court found that the UCU had established a cause of action for breach of confidence.

Judgment and Remedy

The court granted the UCU's application for default judgment and issued a final injunction prohibiting the defendants from using or disclosing the information. The court also ordered the defendants to delete the information and provide a compliance statement. The judgment included provisions for costs and continued court supervision to protect the UCU's confidentiality.

Conclusion

This case underscores the court's willingness to protect confidential information and grant remedies in cases involving cyber attacks, even when the defendants are unknown. The decision highlights the importance of swift legal action in safeguarding sensitive data.