Cybersecurity experts are warning that injunctions – an increasingly popular legal tactic flaunted as protecting victims of data breaches – are putting people at greater risk of cybercrime.
After being targeted by cybercriminals in April 2023, law firm HWL Ebsworth (HWLE) responded to the large-scale theft of its data by seeking an injunction from the Supreme Court of New South Wales.
Marking the first of its kind in Australia, this injunction aimed to prevent further publication or dissemination of HWLE’s impacted data, whether it be from the hackers responsible or from non-criminal third parties such as journalists and cybersecurity researchers.
Since then, companies have routinely used the legal tactic for some of Australia’s most notable data breaches, including the recent cyberattack which impacted 5.7 million customers at airline Qantas.
But as injunctions have grown in popularity, so has concern that they may impede the work of cybersecurity professionals and ultimately put victims at greater risk.
“Our clients reasonably expect us to alert them should any of their private or confidential information appear on the dark web, so that they can improve their security posture against that information being exploited,” Euan Prentice, director of cybersecurity company Cythera, told Information Age.
“An injunction prevents us and our clients from performing these activities.”
Indeed, Prentice said injunctions not only fail to offer protection to consumers and victims of data leaks, but also “disempower them from self-help”.
“This is because the only party that can provide them guidance on their exposure is the very one that lost the data in the first place,” said Prentice.
“It provides an appearance of doing something and, to the lay person, may seem sensible.
“In reality, the hackers simply don't care and those that will exploit the leaked data are already by their very actions showing no regard for the law.”
A gag on cybersecurity
Jamieson O’Reilly, founder of information security company Dvuln, told Information Age that despite their popularity, he did not believe injunctions are an effective countermeasure to international cyber extortion.
“All that injunctions achieve in the contexts I’ve seen is silencing public discussion inside Australia,” said O’Reilly.
“This does nothing to stop the attacker’s own channels from publishing to a global audience.”
When Qantas got an injunction for the stolen data of its customers, it prevented the data being used by "good guys", said cyber expert Troy Hunt.
Despite over five million Qantas customer records having leaked to the dark web, Qantas boasted its recent injunction prevents its stolen data from being “accessed, viewed, released, used, transmitted or published by anyone, including third parties”.
For Troy Hunt, chief executive of highly popular breach tracking platform Have I Been Pwned (HIBP), the injunction meant his company couldn’t handle Qantas’ leaked customer data or use it to keep victims informed of whether they were impacted.
“In other words, the data is also off limits to the good guys,” wrote Hunt.
“Journalists, security firms and yes, HIBP are all impacted by injunctions like this.”
Third parties were also caught in similar injunctions by ticketing company Ticketek in mid-2024 and IVF provider Genea Fertility earlier this year – notably, neither of these injunctions completely prevented the stolen data from being published online.
“You can’t litigate your way out of an attack carried out by a gang that thrives on publicity,” O’Reilly said.
“I would go as far to say that it can even work against public interest.
“The vacuum of credible information gets filled with whatever narrative the attacker wants to push, or whatever minute details organisations want to share to save their stock prices.
“If people don’t understand how these attacks unfold, as uncomfortable as that disclosure might be, they will not learn from them.”
Qantas stands by HWLE playbook
Speaking with Information Age, Qantas said its recent injunction was “one of several steps” taken to “protect its customers who have been impacted” by its June data breach.
“We felt the injunction was an important course of action to further protect our customers and so far, it has been effective in preventing the stolen data being accessed, released or published by third parties,” Qantas said.
The airline noted its position is consistent with the federal government’s guidance – after HWLE obtained Australia’s first cybersecurity injunction, the National Office of Cyber Security (NOCS) said government entities “overwhelmingly” viewed it as having enabled better support for impacted clients.
“[It minimised] the likelihood that other actors may access and act on the published data, and was overall viewed as a sensible step in the firm’s response,” wrote NOCS in February 2024.
James Neil, partner at law firm Clayton Utz, said injunctions can be “quite powerful and effective” in practise. Photo: Supplied
Prentice, however, lambasted Qantas for adopting the “HWL Ebsworth playbook”, stating the airline was “trying to lawyer their way out of responsibility by pretending nobody can use the data”.
“In the meantime, 5.7 million Australians can expect more targeted emails from bad actors who have all their data,” he said.
Who benefits from injunctions?
Michael Collins, founder of cybersecurity advisory Cyber Cognition, explained that injunctions “serve multiple strategic purposes” other than attempting to protect victim data.
“They obtain evidence of due diligence for regulators, adherence to insurance policy requirements, and a defensive position against class action lawsuits,” said Collins.
“Company directors may also benefit because it shows they took reasonable steps to respond to the breach.”
James Neil, partner at law firm Clayton Utz, noted injunctions can be “quite powerful and effective” in practise.
“While cybercriminals located overseas may not pay much heed to the orders of an Australian court, the orders are invariably also directed to third parties who may come into possession of the hacked information,” said Neil.
“If a security researcher shares data in breach of such an order, they could certainly be subject to potential legal repercussions, irrespective of whether they believe they have done so for ethical purposes.”
And while Prentice noted “targeted injunctions” can have legitimate uses – such as preventing insider exploitation from ex-employees who are domiciled in Australia – he ultimately warned Australia against the legal tactic.
“Until these injunctions are challenged as both ineffectual and counter-productive, they will become increasingly common,” he said.
