Litigation partner at Watson Burton law firm, Chris Graham, examines the way in which hackers are increasingly using the latest technology to carry out good old fashioned blackmail, and why a lawyer should be your first port of call if your business suffers a cyberattack.
In recent weeks a hacker, or hackers, calling themselves The Impact Team completely compromised databases, financial records and other information relating to users held by Ashley Madison and AdultFriendFinder. Online user data of millions of accounts have been leaked along with maps of internal company servers, employee network account information, bank account data and salary information. This followed a demand by The Impact Team that the owners of these services close them down permanently, describing subscribers as cheating dirt bags.
Leaving aside expressions of moral outrage, at the end of last week the position worsened for both Avid Life Media, which runs these websites and some of its subscribers. When all of this personal data was made available the demands began. Enclosing a link to a site where bit coins can be purchased, using a credit card, numerous individuals or organisations began demanding around £300 if subscribers did not want their personal details published more widely on the internet, using social media such as Facebook to inform the subscribers, partner or employer. Unlike the hackers, these demands were motivated by financial reward.
The size and scale of this cyberattack is quite staggering. Equally, this type of activity is not uncommon. Recent events are simply more newsworthy than most cyber-attacks. Increasingly, hackers use an insight and expert knowledge of online business circumvents security systems. This is an emerging but common scenario involving either the theft of data or diversion of internet traffic, with casinos and online gambling platforms just as vulnerable as dating websites. Hackers use the latest technology but what they do involves simply good old fashioned blackmail.
In December 2013, two polish hackers who unleashed a cyberattack to blackmail an online casino business out of millions of pounds were jailed for five years and four months each. To avoid a mass attack on computer servers designed to overwhelm the system, the Defendants demanded a 50% stake in the company. When compared with the blackmailers using leaked details from Ashley Madison, their ambition appears to have brought about their downfall. Most blackmailers make more modest demands, with a view to avoiding investigation by the authorities as well as making a quick buck.
Whilst this type of attack involves more than one criminal offence, in the context of the internet, this does not appear to involve much of a deterrent. It is likely that the solution to this type of serious problem lies partly in the technology. Organisations need to use the latest security measures to stay one step ahead of hackers. Victims also have civil remedies. In common with Ashley Madison, most cyber-attacks are based on the platform of some inside knowledge of systems. The perpetrator is often a former contractor or even an employee. Our law has developed along with online technology and the High Court is now quite accustomed to granting injunctions to prevent unauthorised disclosure and misuse together with consequential orders to police this type of restraint, we have recently obtained Orders for imaging as well as inspection. Civil proceedings enable a victim to retain control over the proceedings and the potential damage will usually justify the cost. The sanction for breach of an Order is contempt and this can include imprisonment as well as a fine. Once the victim’s position has been protected, complaint can then be made to the prosecuting authorities.
Doing business online is necessary for most commercial organisations and the growing threat of cyber-attacks runs the risk of the internet appearing to operate outside the boundaries of the law.
Online businesses will grow more accustomed to implementing increased measures to ensure external security but also imposing controls internally upon those who have access to systems and know their operations. Advances in technology also mean that evidence of wrongdoing is easier to uncover and there are sanctions. Wrongful interference, theft and blackmail have been around for much longer than the internet. The Courts have adapted existing remedies such as injunctive relief to the new age of the internet. Until the risk of prosecution becomes an effective deterrent, victims of a cyberattack should consider civil remedies in the High Court.