12/05/2026

Written by Judith Hopper and Stephanie Sandford-Smith 

With a number of recent and high-profile cyber security breaches and ransomware attacks, organisations are increasingly aware of the need to put in place appropriate risk mitigations, including enhanced IT security measures and a cyber incident response plan for when, not if, an attack takes place. 

In terms of legal action, the attacks are often carried out by perpetrators whose identity and location is unknown. This means that the usual procedure of issuing and serving a claim on named Defendants cannot be applied. 

There is, however, a valuable tool available: “newcomer” injunctions. Whilst an injunction of this type is unlikely to deter the hackers, it can be a highly effective proactive risk management tool for affected organisations.  Crucially, it can also prevent further breaches by limiting further online publication.  

What is a newcomer injunction?

A newcomer injunction allows an organisation to obtain a court order against persons unknown, who are not yet identified and have not yet acted unlawfully. Instead of naming a defendant, the order is framed against a clearly defined class of “persons unknown” based on their potential conduct.   

The leading case in this area is Wolverhampton City Council v London Gypsies and Travellers [2023], which arose in the context of a number of local authorities seeking injunctions to prevent unauthorised encampments by gypsies and travellers. However, the Court noted that the application was likely to be wider: 

The availability of injunctions against newcomers has become an increasingly important issue in many contexts, including . . .a wide variety of unlawful activities relating to social media . . . The advent of the internet, enabling wrongdoers to vitiate private or public rights behind a veil of anonymity, has . . . made the availability of injunctions against unidentified persons an increasingly significant question”. 

Two recent Court decisions demonstrate how newcomer injunctions can be used in cases of cyber security breaches.  

HCRG Care v Person(s) Unknown [2025]

HCRG Care, a major UK healthcare provider, was the victim of a ransomware attack in early 2025. Unknown threat actors, identifying themselves as “Medusa”, infiltrated its IT systems, exfiltrated large volumes of confidential patient and business data, and issued a time-limited ransom demand accompanied by a threat of publication. 

Faced with a credible and imminent risk of further publication, HCRG issued proceedings against “persons unknown” for breach of confidence and misuse of information, seeking urgent injunctive relief. The High Court granted a without notice interim injunction restraining any disclosure or publication of the data, together with permission for service out of the jurisdiction and by alternative means, including via the hackers’ own web portal.

At the return date hearing, the Court continued the injunction to protect the confidentiality of the stolen information, concluding that the sensitivity of the data meant that the risk of harm remained ongoing.  

As well as neutralising the ransom threat, the injunction had a practical operational impact, as once obtained, HCRG were able to notify third-party websites hosting leaked material, resulting in the removal of the content and limiting further spread.

University and College Union v Person(s) Unknown [2025]

In this case, the Union faced a ransomware attack in August 2024 in which identified threat actors gained access to its IT systems, exfiltrated sensitive union, employee and third-party data, and proceeded to publish some of that material online. The Union acted promptly to obtain a without notice interim injunction against “persons unknown”, restraining further access to, use or dissemination of this data.

When the threat actors failed to engage with the proceedings, the Court granted default judgment and a final injunction, converting the interim protections into an ongoing framework. The final order imposed wide ranging obligations “prohibiting the defendants from using, publishing, communicating or disclosing the information; and ordering the defendants to deliver up and/or delete and/or destroy the information, and to provide a witness statement with a statement of truth explaining their compliance”.

Again, while the injunction could not eliminate the breach itself, it enabled the Union to contain the harm by providing a continuing prohibition on use/disclosure.  

These cases underscore the court’s willingness to grant robust remedies in cyber attack cases and to allow for flexibility in methods of service, including communication channels used by the attackers so that procedural requirements do not undermine practical effectiveness.

Key benefits of a newcomer injunction 

Newcomer injunctions provide affected parties with a remedy to remove unlawfully published material, and a legal protection to restrict further publication by third-party platforms, hosting providers and intermediaries.

Affected organisations seeking newcomer injunctions can also point to Court action as evidence of a robust response – whether to maintain confidence with customers and commercial partners, or to demonstrate to a regulator the steps being taken to limit harm.  

When will a ‘newcomer injunction’ be granted?

In cases of this type, time is of the essence. A party making an application must be able to show that the threat is real and imminent, often requiring swift action before damage occurs or escalates. 

Evidence will also be required around the breach of security and the types of data lost – so technical support for any claim will be critical.  

The evidential hurdle is strict: injunctions are the “nuclear weapon” of the litigation world, so the Court must be satisfied that granting the injunction is just and convenient in all the circumstances.  The Claimant must show that there is a serious issue to be tried; damages would not be an appropriate remedy given the sensitivity of the data involved; and provide a cross-undertaking as to damages.  

Key Takeaways

Cyber incidents require swift, coordinated action. Affected parties should: 

  • Act quickly to contain and isolate affected systems, secure data and understand the scope of the breach
  • Take early legal advice on regulatory and legal risks. Legal input at the outset will ensure discussions on strategy remain legally privileged 
  • Assess notification obligations to regulators, including the Information Commissioner’s Office
  • Consider injunctive relief, where data has been exfiltrated
  • Prepare a clear communications strategy 

Whilst it may not be possible to eliminate the damage caused by an unwanted cyber-attack, early steps can significantly reduce harm.  

Judith Hopper 4
Stephanie Sandford Smith 2

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.