Using injunctions after a cyber attack: what the courts will help you achieve

It has been over a year since HWL Ebsworth (HWLE), an Australian law firm, sought and obtained urgent interim and final injunctive relief against anonymous foreign hackers following a high-profile cyber attack, the first time this had been done in Australia.

At the time, we highlighted some of the inherent challenges that arise when seeking injunctive relief following a cyber breach (such as service and obtaining judgment against "persons unknown") and also considered the broader legal and commercial considerations which inform the utility in pursuing litigation when a cyber breach arises.

The HWLE decision has since been applied in two recent NSW Supreme Court decisions. In this article we'll focus on the current state of affairs in this emerging and increasingly important space.

The University of Notre Dame Australia v Persons Unknown [2025] NSWSC 550

This decision was heard and decided by Justice Brereton in May 2025.  

At the start of 2025, the University was the victim of an extortion attempt by unidentified hackers. Documents including confidential information about the University’s internal operations, as well as the records of students, staff and faculty members, were stolen and a ransom note sent.

Justice Brereton acknowledged the HWLE decision by observing: "the clear articulation of principle in that matter is of considerable assistance".

Interestingly, the injunction sought by the University was more confined than the injunction obtained in the HWLE decision. The University sought an injunction against

“The Defendants (by themselves, their agents, or by any third party in possession of some or all the Exfiltrated Dataset) be restrained from…”.

HWL Ebsworth's injunction by contrast also extended to third parties who were not a party to the proceeding:

“[t]he Defendants as defined below (and any other third party in possession of the Impacted Dataset that is made aware of these orders) is restrained from…”.

Justice Brereton considered the framing of the University's injunction to be preferable as it said more clearly that the injunction lies against the specified defendants while acknowledging that they may act through other agents. Adopting this more conventional framing of an injunction may increase the prospects of obtaining the relief sought on an urgent basis.

The University's injunction was expressed as follows:

“The Defendants take all steps to immediately remove all and any of the Impacted Dataset (including the Exfiltrated Dataset) from all accessible internet locations (including, for the avoidance of doubt, from ‘dark web’ locations)”.

An order to this effect was not sought in the HWLE decision. At the time of the hearing, there was no evidence that the stolen material was available elsewhere, however, Justice Brereton observed that the nature of extortion means that it may become available elsewhere at a later point. On this basis, the Court was willing to make this order, indicating a willingness on the part of courts to be proactive and take into account the realities of cyber breaches.

Qantas Airways Limited v Persons Unknown [2025] NSWSC 776

Two weeks after its high-profile cyber breach was announced, Qantas was in the NSW Supreme Court. This matter was heard and decided on 16 July 2025 (two weeks after the high-profile cyber breach was announced). Qantas was seeking orders to prohibit the dissemination of the hacked information – both by the hackers themselves and by third parties who might come into possession of the information.

Qantas sought an order that the fact of the proceedings and the evidence relied upon for it should be suppressed for a short time. This suppression order was granted for 19 hours and Qantas was ordered to then make a public announcement about the proceedings and make a redacted version of the material relied upon available to the media. Justice Kunc granted Qantas' suppression order on the basis that it was for a very short period of time and it allowed Qantas to act proactively to protect the administration of justice.