In the cases of Clarkson Plc v Person(s) Unknown (“Clarkson”) and PML v Person(s) unknown (“PML”), the court has created a new tool in the fight against cyber attackers. The defendants who are unknown person(s) gained unauthorised access to the claimants’ IT systems and acquired a considerable quantity of information. The unknown defendant(s) then threatened to publicise the information unless a substantial sum was paid. Despite not being able to identify the attackers directly the court was prepared to grant an injunction. Continue reading
Tag: cyber attack
The Mirai malware gained its infamy in October 2016 following its record breaking attack on systems operated by domain name system provider Dyn, using unsecured Internet of Things (“IoT“) enabled “smart” devices (such as CCTV recorders, webcams and routers). It resulted in the widely reported outage of Twitter, Netflix, Spotify and Airbnb, amongst others.
Mirai is highly effective as it targets devices which often run unattended, do not have anti-virus installed, and have no external visual indication that they have been compromised. Mirai works by systematically trying the 62 most common default username/password combinations against the Telnet/SSH port of internet connected devices in an attempt to gain administrative access to the device. Whilst simple, the sheer number of vulnerable devices on the internet means that “botmasters” (the creators and controllers of the collections of compromised computers and IoT devices (each a bot and together a botnet)) have been able to create and sustain botnets containing up to 100,000 devices. Botmasters are then able to sell the use of their botnets online to the highest bidder for use in, for example, Distributed Denial of Service attacks against specific targets (e.g. Dyn). Continue reading
The CJEU has ruled that the operator of a website may have a legitimate interest in storing certain personal data relating to visitors to that website in order to protect itself against cyber attacks.
In the case of Patrick Breyer v Bundesrepublik Deutschland (Case – C582/14), Mr Breyer had brought an action before the German courts to prevent websites, run by Federal German institutions, from registering and storing his IP addresses. The institutions register and store the IP addresses of visitors to their sites, together with the date and time when a site was accessed, with the aim of preventing cyber attacks and to make it possible to bring criminal proceedings.
The main question before the CJEU was whether dynamic IP addresses constitute “personal data” for data protection purposes. The court found that a dynamic IP address would constitute personal data where the website operator had the legal means of identifying the relevant individual with the help of additional information from the internet service provider. The court further found that, in the case, the German institutions had a legitimate interest in processing such personal data for the purpose of preventing cyber attacks.
Further details of the case can be found here.