UK Cybercrime remedies against unknown hackers
28 November 2018
The English High Court will adopt flexible and innovative approaches to help victims of cybercrime obtain remedies against defendants who are either unknown or refuse to engage in proceedings. The court confirmed its jurisdiction to grant world-wide freezing orders against persons unknown and also sanctioned the service of defendants by “innovative” methods including Facebook Messenger, Whatsapp and a data room system: CMOC Sales & Marketing Ltd v Person Unknown & 30 ors  EWHC 2230 (Comm).
CMOC was the victim of a business email compromise fraud. The perpetrators had hacked into CMOC’s system and sent payment instruction emails to its bank, purporting to come from an authorised signatory. In response to those instructions, the bank paid USD6.91 million and EUR1.27 million out of CMOC’s account in twenty separate transfers.
The first defendant was a group of persons whose identities were unknown. The second to 31st defendants were named individuals or entities, which CMOC had identified through information and disclosure orders against the banks into which the funds had been paid. These banks, of which there were 50 in 19 different jurisdictions, were “no cause of action defendants”. No substantive relief was claimed against them but they were joined to the proceedings as respondents to the information and disclosure orders that were made.
The claims brought against the 31 defendants were: proprietary claims involving the use of tracing; a claim for compensation for dishonest assistance; a claim in damages for unlawful means conspiracy; a claim in knowing receipt; and a claim in unjust enrichment. The court held that all of the claims against all of the relevant defendants succeeded as pleaded (with the exception of the unjust enrichment claim, which succeeded against only some of the defendants).
Obligation of fair presentation in absence of defendants
None of the 31 defendants engaged in the proceedings. The court reiterated that it nevertheless had to be satisfied on the balance of probabilities that the claims were made out, which, where the underlying allegation was fraud, required cogent evidence. The court made clear that although there was an obligation of fair presentation where a trial was not attended by the defendant, that obligation was less extensive than the duty of full and frank disclosure on a without notice application.
CMOC presented evidence on the destination of the funds paid out of its account in the form of a flow chart. It also provided a summary for each defendant, setting out all the details it had managed to obtain, including date and place of birth, passport number, associated addresses, telephone numbers and email addresses, and Facebook and Whatsapp account details. Agreeing with the proposal put forward by CMOC, the court took a “reasonable and proportionate approach” to the evidence and audited some example payments. It concluded that CMOC’s chart provided an accurate summary of the payment flows and there was no reason not to take the whole of it at face value.
World-wide freezing orders
In October 2017, the court had granted a world-wide freezing order (WFO) against the first defendant, which was the first such order granted against persons unknown. In its latest decision, the court stated that jurisdiction to grant WFOs against persons unknown was now “clearly established”. The court highlighted the recognition in cases such as PML1 and Clarkson2 that injunctive relief against persons unknown is particularly apposite where the reason they are unknown is because of their activity as hackers.
Service by Facebook Messenger, WhatsApp and data rooms
The methods of service permitted by the court were, in the judge’s own words, “innovative features” of this case. In CMOC’s summary for each defendant it set out precisely how that defendant had been served at the relevant stages of the proceedings through to trial. The court concluded from these summaries that the decision of the defendants not to participate in the proceedings was voluntary and informed.
The alternative methods of service that were permitted in these proceedings included use of Facebook Messenger and Whatsapp. The court commented that Whatsapp has the “particular virtue” of showing when a message has been sent and when it has been read by the recipient. Having observed the methods used and ultimately permitted in these proceedings, the judge stated that “the court will consider proactively different forms of alternative service where they can be justified in a particular case”.
CMOC had also come up with a system for serving the many banks to which funds had been paid with all the evidence adduced in obtaining the interlocutory orders, which the court approved. This system involved sending the relevant party, by way of a previously approved court method (including email), a link to a data room and an access code. Any party which accessed the data room would be able to view all the evidence along with all applications and orders made as at that date. The court commented that the banks had found the data room “a most useful facility”. As with Facebook Messenger and Whatsapp, the court observed that service by data room could clearly be justified and appropriate in cases such as this.
This case confirms the English court’s willingness to adopt innovative approaches proposed by claimants who are seeking relief from defendants who have concealed their identities. The decision will be welcomed by companies who are faced with the constant threat of cyber attacks by anonymous hackers. As the court recognised in this case, in cases of international fraud a freezing injunction is often needed as a “springboard for the grant of ancillary relief”. The court also recognised that vital information is likely to be obtained from banks as to the identity of account holders, which may result in the claimant being able to subsequently name them as defendants, as happened here.
Even where the defendant is not unknown, the English High Court has recently shown its ability to assist the innocent party in a cyber dispute by allowing it to bring a claim against a defendant domiciled in another jurisdiction. In BVC v EWF,3 the court held that it was able to hear a claim for damages for misuse of private information, despite the fact that the defendant said he was domiciled in Switzerland, on the basis that England was where the claimant had his “centre of interests”. Following the CJEU in eDate Advertising,4 the court found this basis for jurisdiction to be appropriate in the context of online publication of information, where distribution was essentially universal. In addition, service by email was deemed effective even though the defendant was in Switzerland when he received the email.
Prospective claimants should be encouraged by the court’s flexibility in these cases and its willingness to embrace mechanisms in order to allow victims of cyber crime to pursue effective legal remedies.
1 PML v Person(s) Unknown  EWHC 838 (QB).
2 Clarkson Plc v Person or Persons Unknown  EWHC 417 (QB).
3  EWHC 2674 (QB).
4 eDate Advertising GmbH v X (Cases C-509/09 and C-161/10)  QB 654.
This case summary is part of the Allen & Overy Litigation and Dispute Resolution Review, a monthly publication. If you wish to receive this publication, please contact Amy Edwards, email@example.com.