In the age of dark web cyber gangs often operating from the shadows of foreign jurisdictions, Australian courts are now regularly forced to confront an old problem wearing a new disguise: how do you sue someone you can’t identify?
The University of Notre Dame Australia – which has campuses in Sydney NSW and Freemantle in Western Australia – became the latest Australian victim of a sophisticated cyberattack.
Hackers breached the university’s servers and stole enormous quantities of sensitive data: student records, alumni databases, staff information, internal communications — a veritable goldmine for blackmailers and identity thieves.
They then threatened the university, demanding payment to prevent the data’s release.
Faced with demands from criminals who had no names, no known addresses, and likely no intention of ever revealing themselves, the university turned to the Supreme Court of New South Wales.
In a sweeping decision, Justice Peter Brereton granted wide-ranging injunctions against the perpetrators — referred to simply as “Persons Unknown” — restraining them from using, publishing, or further disseminating the stolen data.
This is not the first time that the courts have been asked to intervene in the case of anonymous wrong doing.
Bloomsbury Publishing secured pre-emptive injunctions against unknown parties who had unlawfully accessed Harry Potter manuscripts before publication.
Th English High Court made similar orders against anonymous blackmailers who had threatened to leak intimate images.
In Australia, the Federal Court dealt with the leak from the Australian Tax Office of financial documents whose original sources remained unclear.
In 2023, an Australian law firms was cyberattacked by Russian-linked ransomware group BlackCat and then publicly posted portions of the stolen material when ransom demands were not met.
Just like Notre Dame, the law firm obtained injunctions in the Federal Court of Australia against “Persons Unknown,” forbidding the publication, sharing, or use of the hacked material.
Justice Brereton’s orders against the Notre Dame hackers include commands not just forbidding publication, but requiring the perpetrators to take active steps to delete the stolen data from any part of the internet where it may still linger.
The orders are directed at the anonymous hackers themselves, but also acted as legal shields the firm could use to pressure hosting providers, domain registrars, and search engines to take down the stolen material wherever it appeared online.
They create clear grounds for search engines, internet providers, and social media companies to justify requests for removal of content which are otherwise mostly refused.
