A Spanish tech company alleges its direct competitor did not build a better product -- they broke into servers and stole the playbook. On March 3, 2026, the UK Commercial Court agreed there was enough evidence to keep an injunction in place. The allegations, if proven at trial, would make this a textbook case of corporate cyber espionage dressed in SaaS clothing -- with implications far beyond the niche world of content creator management software.
The case is Infinni Innovations S.A. v OFMS Limited and others, citation [2026] EWHC 470 (Comm). On the surface, it looks like a niche commercial dispute between two software vendors competing for agency clients in the OnlyFans creator economy. Pull one layer back and you find something the cybersecurity community has been warning about for years: a company allegedly weaponizing unauthorized server access to poach a competitor's entire customer base. The attacker in this scenario is not a nation-state, not a ransomware gang, and not a script kiddie looking for notoriety. It is allegedly a direct business rival operating from England and Cyprus, running a platform that competes dollar-for-dollar with the victim. And the weapon of choice was not malware in the traditional sense -- it was systematic data-scraping and exfiltration of proprietary operational intelligence over the course of nearly a year.
The Industry Nobody Talks About
To understand why this data was worth stealing, you first have to understand the industry it came from. The OnlyFans creator economy is considerably larger and more operationally complex than its public reputation suggests. Creators on the platform -- particularly those generating significant revenue -- do not typically manage their own subscriber communications. They rely on agencies, and those agencies manage hundreds or thousands of accounts simultaneously, chatting with subscribers, tracking spending patterns, and building detailed profiles on individual fans to maximize engagement and revenue per user.
This is where Infloww comes in. Operated by Infinni Innovations S.A., a Spanish technology company registered in the Canary Islands, Infloww is a customer relationship management platform built specifically for this market. According to court filings, the platform allows agencies to manage subscriber conversations, store information about individual fans, and analyze performance data across creator accounts. It is, in essence, a specialized CRM with deep integration into the behavioral and financial data of a specific platform's user base. The judgment describes Infloww as the apparent market leader in this niche.
To understand what that market is worth, consider figures cited in the judgment itself. In its 2024 accounts, OnlyFans reported gross fan payments of approximately USD 7.22 billion and pre-tax profits of USD 683.6 million, across hundreds of millions of registered users and several million creators worldwide. Individual creator earnings cited in Infloww's own published materials range from around USD 3,000 to USD 5,000 per month for mid-tier creators, to USD 20,000 per month for higher earners. The messaging interactions that drive those earnings -- and the subscriber relationship intelligence that makes them possible -- are exactly what gets stored in a CRM like Infloww. Every note a chatter records about a fan, every script developed to extract maximum spend from a subscriber, every behavioral pattern logged over months of interaction: that data is the operational core of a multi-billion-dollar industry.
OnlyMonster, the defendant's platform, is a direct competitor. According to publicly available product descriptions, it markets itself as a combined anti-detect browser and CRM -- meaning it also handles the account isolation and security functions that agencies need when managing hundreds of separate creator accounts on a platform that actively tries to detect and block automation. The two platforms compete for the same pool of agency clients, which makes what allegedly happened next commercially logical -- and criminally significant.
The full case citation is Infinni Innovations S.A. v OFMS Limited and others [2026] EWHC 470 (Comm). The judgment was handed down by Mr Justice Saini in the UK Commercial Court on 3 March 2026, following hearings on 27-28 January 2026 and 25 February 2026. The claimant was represented by Tony Singla KC and Chintan Chandrachud of Brick Court Chambers, instructed by Cooley (UK) LLP. The defendants were represented by Arnold Ayoo and Kendya Goodman of Maitland Chambers, instructed by Eldwick Law. The full judgment is publicly available at the Courts and Tribunals Judiciary website.
The four defendants are: OFMS Limited (incorporated in England and Wales), OMLAB Digital Limited (incorporated in Cyprus), Pavlo Kharmanskyi (Ukrainian national, resident in the UAE, co-founder of OnlyMonster, responsible for strategy and marketing), and Danyl Romanov (Ukraine resident, Head of Sales and Business Development at OnlyMonster).
What Was Actually Stolen -- and Why It Matters
The alleged intrusions did not target payment data, passwords, or anything that would typically register as a reportable data breach in the traditional sense. According to court documents and reporting by the International Comparative Legal Guides, the defendants are alleged to have carried out a series of cyber intrusions between December 2024 and November 2025, enabling them to copy substantial quantities of data from the Infloww platform across two distinct categories.
The first category is what the court describes as "fan notes" and messaging scripts -- detailed operational intelligence compiled by agencies while communicating with subscribers. These are not generic records. The actual judgment includes illustrative examples that make the nature of this data viscerally clear. One fan note records that a subscriber called "Brian" is from the Bay Area, California, is 40 years old, single, and lives with his parents. Another records that "Bruno" is a Navy SEAL veteran, a jiu jitsu black belt, from Brazil with Italian parents. A third documents that "David" earns a salary of USD 2,000 per month, tips between USD 50 and USD 100, and gets paid between the 15th and 17th of the month -- information recorded specifically to enable a chatter to time financial asks for maximum impact. This is profiling in the most operationally precise sense: a subscriber dossier built to optimize extraction.
Scripts are the companion infrastructure. The judgment reproduces example scripts from OnlyMonster's own demo account that illustrate how this works in practice. One reads: "Hey Ryan, I saw you liked my gym pics yesterday. Want the full video tonight?" -- accompanied by a prompt visible only to the chatter: "Use it only when: mentions gym pics." Another is even more targeted: "Hey Brian, I saw you liked my bath video yesterday. want the full video tonight?" with the prompt "Use it only when: replied 'I'm okay' and hasn't bought in 7 days." The scripts are precision instruments built from accumulated fan intelligence. For agencies managing hundreds of creator accounts and communicating with potentially millions of subscribers, this data represents years of accumulated operational knowledge. Rebuilding it from scratch would be extraordinarily costly and time-consuming.
The second category is analytics and reporting data generated by the Infloww platform itself -- aggregate and granular metrics on spending patterns and employee performance across accounts. This is the kind of intelligence that informs how an agency prices its services, which creators it prioritizes, and where its operational gaps are.
The UK Commercial Court upheld an interim injunction on March 3, 2026 following allegations that data was covertly extracted from Infloww's systems for use in a competing commercial platform -- proceedings documented as Infinni Innovations v OFMS Limited [2026] EWHC 470 (Comm) and reported by Brick Court Chambers.
Taken together, what was allegedly stolen was not raw personal data -- it was a competitor's entire operational brain. The alleged motive, as argued by the claimant and accepted as arguable by the court, is that the defendants used this data to approach Infloww's agency clients and make a compelling pitch to switch platforms. They would not need to guess at what those agencies needed; they allegedly already had detailed knowledge of how those agencies operated, what their pain points were, and what their subscriber bases looked like.
This is corporate espionage executed through technical means, and it is a different category of threat than ransomware or credential theft. There is no ransom note. There is no encrypted file system. There is no obvious moment of crisis for the victim. The attack is silent, sustained, and commercially targeted -- which is precisely what makes it so dangerous.
Unlike ransomware, competitive data exfiltration leaves no obvious victim notification. There is no encrypted drive, no ransom note, no outage. Victims frequently do not know they have been compromised until the business impact -- lost clients, suddenly well-informed competitors -- becomes undeniable. Traditional security monitoring focused on preventing system disruption will not catch this category of intrusion.
The Honey Trap: How Infloww Caught the Intrusion
One of the most forensically interesting details buried in the judgment -- and virtually unreported elsewhere -- is the reference to a "honey trap" in the case materials. Defense counsel at Eldwick Law publicly noted that the case involves "honey traps" alongside the alleged cyberattacks. The term refers to a detection technique where a system operator plants deliberately attractive but otherwise inert data -- accounts, records, or credentials that have no legitimate operational purpose -- so that any access to them serves as an unambiguous indicator of unauthorized intrusion. If a real user or a legitimate agency would have no reason to access a honey trap account, but it gets accessed anyway, that access is evidence of either a bug or a breach.
In the context of the Infloww case, this matters enormously for the detection story. The intrusion campaign allegedly ran from December 2024 through November 2025. Infloww commissioned Kroll to reconstruct the access timeline, and the Particulars of Claim were amended twice as the investigation progressed and the full scope of the intrusion became clearer. The honey trap detail -- even if lightly referenced in public proceedings -- suggests that some of the detection capability came not from passive anomaly monitoring but from deliberate tripwire architecture: data designed to be irresistible to a party conducting unauthorized bulk extraction and invisible to anyone doing legitimate platform management.
For security practitioners, this is a meaningful distinction. Anomaly detection at the application layer depends on baselines, thresholds, and pattern recognition. It can generate false positives and requires ongoing tuning. Honey trap accounts generate zero false positives by design: there is no legitimate reason for a real agency account to access records that were never associated with any real agency. The simplicity of the signal -- access equals breach -- is its strength. A platform that seeds its data layer with honey trap records and monitors for their access has a detection capability that does not depend on knowing what normal behavior looks like. It only needs to know that this specific behavior is always abnormal.
Whether the honey trap evidence forms part of Infloww's affirmative case at trial, or appears only as background to the forensic reconstruction, is not clear from the judgment. But its presence in the case record is a reminder that the most effective detection tools are sometimes the lowest-tech ones -- a deliberately baited piece of data sitting quietly in a database, waiting for someone who should not be there to pick it up.
The Legal Fight: From Emergency Injunction to Court Confirmation
Infloww did not discover the alleged intrusions and wait. The timeline of the legal response is instructive for any organization dealing with a suspected data exfiltration by a known competitor.
The dispute first arrived in court on 9 December 2025 at a without-notice hearing -- meaning the defendants were not present and did not receive advance warning. This is a deliberately high bar in UK law. Under the guidance established in American Cyanamid Co v Ethicon Ltd [1975] and refined through subsequent case law, an emergency ex parte injunction requires demonstrating both urgency and a credible risk that advance notice would allow the wrongdoer to destroy evidence or cause further harm. The court agreed and granted the interim injunction, restraining the defendants from accessing Infloww's servers and from using any of the extracted data. The court also directed the defendants to identify all data they had accessed within 10 days of service, by sworn affidavit. A return date was set for 18 December 2025.
At that December 18 hearing, the defendants applied to have the injunction discharged. They changed counsel between the December and January hearings -- Enyo Law and Simon Colton KC appeared in December; Eldwick Law with Arnold Ayoo and Kendya Goodman appeared at the substantive January 2026 hearings. They argued that the claimant had not shown a serious issue to be tried, that the balance of convenience favored lifting the order, and that Infloww had breached its duty of full and frank disclosure at the without-notice hearing -- a serious allegation in UK civil procedure that, if proven, can result in a court unwinding emergency orders entirely. The judge declined to hear substantive argument at the December hearing because the defendants had served their evidence and skeleton argument only the day before, and directed a further hearing for late January.
Separately, and notably, Infinni Innovations had already filed a parallel action in the United States. Court records show Infinni Innovations S.A. v John Does #1-50 was filed in the Eastern District of Virginia on September 29, 2025 -- months before the UK injunction. According to reporting by Law.com, the US lawsuit alleges two sophisticated cyberattacks targeting three of the plaintiff's proprietary systems, with the defendants bypassing security measures to extract sensitive customer data. The multi-jurisdictional strategy -- pursuing relief simultaneously in UK and US courts -- reflects a calculated legal approach by a company that clearly understood the cross-border nature of what it was dealing with.
Mr Justice Saini rejected all the defendants' arguments at the substantive January 2026 hearings. He found that the analytics and reporting data generated by Infloww was "plainly arguable" as confidential information belonging to the claimant, and that the compilation of fan notes and subscriber intelligence could also attract legal protection. Critically, he noted that while the defendants had acknowledged copying large quantities of data, they had provided no explanation of how they accessed the systems in the first place. Notably, the defendants had also conceded at the January hearing that there was a "serious issue to be tried" -- a significant retreat from the position they had tried to advance in December.
There was a further development at the January hearing that the article coverage has largely skipped over. The parties discovered they disagreed on the scope of the original injunction: did it restrain the defendants from allowing the migrated agencies to continue accessing the extracted data on OnlyMonster? The claimant said yes. The defendants said no. The court ordered further submissions on this point and held a third hearing on 25 February 2026 specifically to resolve the scope question. The final order permits agencies (Option 2) to continue accessing the extracted data while the main injunction remains in place against the defendants' own use. That distinction -- between what the defendants can do and what the agencies they serve can do -- will likely be contested further at trial.
"I was surprised by the defendants' continuing lack of candour." — Mr Justice Saini, Infinni Innovations S.A. v OFMS Limited and others [2026] EWHC 470 (Comm), para. 16, reported by ICLG
That phrase -- "lack of candour" -- carries significant weight in UK litigation. Courts expect disclosure and honesty from both parties. A judge expressing surprise at evasiveness on a factual question as basic as "how did you access the systems" is a notable signal in any interim proceeding, and the judgment's language on this point will be part of the record when the case proceeds to trial.
Beyond continuing the injunction, the court also ordered the defendants to provide a digital image of all data they had extracted, and to confirm the accuracy of that image by sworn affidavit. The sworn affidavit requirement is not procedural boilerplate -- it creates personal criminal liability for perjury if the defendants misrepresent what was taken. Combined with the undertakings they gave not to attempt further access or use certain categories of analytics data, the defendants are now operating under a web of legal constraints that will follow them through to trial.
The Question Nobody Wants to Answer: Who Actually Owns the Data?
There is a dimension to this case that receives almost no coverage in legal reporting but sits at the center of the entire dispute: the defendants did not simply deny taking data. They argued that the agencies whose data was extracted had authorized them to take it, as part of a platform migration when those agencies moved their business from Infloww to OnlyMonster. According to the defendants' own legal team at Eldwick Law, the core defense is that agencies were simply transferring their own operational data to a new vendor -- which, if true, would mean no unauthorized access and no breach of confidence.
This is not a frivolous argument. The fan notes and scripts in dispute were created by agency-employed chatters communicating with fans through the Infloww platform. The underlying information -- the personal details of subscribers, the conversational history, the relationship intelligence -- was generated by the agencies' own staff doing their jobs. Whether that data belongs to Infloww (as the platform host), to the agencies (as the operational parties who created it), or to the content creators (as the nominal account holders) is a question the judgment explicitly identifies as unresolved. Mr Justice Saini described it as an issue going to the "novelty" of the claim as a breach of confidence case, and the question will not be definitively answered until trial.
What the court did conclude at the interim stage was that the analytics and reporting data -- the Generated Data produced by Infloww's own algorithms and systems -- was clearly the claimant's confidential information. That category of data was not something agencies created or contributed to; it was the output of Infloww's proprietary analytical engine. The defendants' migration defense has considerably more difficulty with that category, which is likely why the court continued the injunction even while acknowledging the ownership dispute over fan notes and scripts.
For the cybersecurity community, this ownership ambiguity is worth sitting with. The case is not straightforwardly a story of a company getting hacked by a criminal. It is a story of contested data rights in a three-party commercial ecosystem -- platform, agency, creator -- where none of the parties have clearly defined contracts establishing who owns what. That is an extraordinarily common situation in SaaS environments where agencies or enterprise clients generate significant operational data on vendor-hosted infrastructure. In many of those relationships, the terms of service address data portability in the event of migration, but do not address whether the platform retains confidentiality rights over derived analytics, aggregated behavioral data, or system-generated intelligence that incorporates customer-created inputs.
The Infloww case is arguably the first UK commercial dispute to force those questions into public court filings. The trial will likely produce clearer guidance on when SaaS-generated analytics constitute the platform's trade secrets versus when they belong to the customers whose activity generated them. Until that guidance exists, every enterprise SaaS vendor and every agency operating on a third-party platform is operating in legal uncertainty about who owns the data they are collectively generating.
The civil injunction proceedings are only part of the legal picture. Unauthorized access to a computer system to extract data is a criminal offense under Sections 1 and 2 of the UK Computer Misuse Act 1990. Section 1 applies to unauthorized access regardless of intent. Section 2 applies when that access is undertaken with intent to commit a further offense -- which, in a case involving data theft for commercial advantage, would include offenses of fraud and misappropriation. Maximum sentences reach ten years on indictment under Section 2. The civil claim does not preclude a parallel criminal referral, and the detailed forensic record being built through the Kroll investigation and the court-ordered affidavit obligation creates a documented evidentiary trail that could support one. Whether Infloww pursues that avenue remains to be seen, but the option exists.
The Forensic Investigation They Should Not Have Needed to Commission
One of the more striking operational details in the judgment is that the claimant had to hire Kroll -- one of the world's leading forensic investigation firms -- to determine how the defendants had accessed its systems. The Particulars of Claim were amended twice as Kroll's investigation progressed and the full scope of the intrusion became clearer. When the court pressed the defendants at the January 2026 hearing to explain the technical mechanics of how they had entered Infloww's systems, they declined. According to the judgment at paragraph 17, the judge noted that the claimant's repeated amendments and detailed investigation would have been entirely unnecessary had the defendants simply disclosed how they had accessed the systems and what they had taken.
That observation has a direct operational implication: Infloww did not know it had been compromised from the inside. It took a court proceeding, formal discovery pressure, and a professional forensic firm to reconstruct the access timeline. That is not unusual for this category of intrusion -- targeted, low-disruption, operationally focused attacks by parties who have no interest in making their presence known. But it does underscore that the detection gap in competitive espionage attacks is not merely a technology problem. It is an organizational problem about what access patterns are even being monitored, stored, and reviewed.
The GDPR Question Nobody Is Asking
The Infloww case has been covered almost entirely through the lens of trade secret law and breach of confidence. There is a dimension that has received essentially no public attention: the fan notes at the center of the dispute are, on their face, personal data within the meaning of the UK GDPR and its EU counterpart.
Consider what the judgment documents. The fan notes contain the full name of subscribers, their age, their location, their relationship status, their living situation, their salary, their pay cycle, their spending patterns, their tipping behavior, and their personal interests and experiences -- including military service in the case of "Bruno." Some of this information was provided voluntarily by the subscriber in the course of interacting with a chatting service; some was inferred by agency staff and recorded without the subscriber's knowledge. Under the UK GDPR and its EU counterpart, data of this kind -- information that relates to and identifies a living individual -- is personal data. Depending on how the contractual relationships between Infloww, the agencies, and the creators are structured, Infloww may be a data processor, a controller, or both. The agencies are likely controllers in their own right. The subscribers are data subjects with rights over information compiled about them.
The core analytical point is this: if the alleged exfiltration of this data occurred as the claimant describes, that conduct would not merely raise questions of breach of contract or misappropriation of trade secrets. It would also raise questions under data protection law. An organization that accesses a third party's systems and copies personal data about identifiable individuals without authorization would, on that analysis, be processing that personal data without a lawful basis. Whether and how data protection law applies to the specific facts here -- including which entities are controllers, which are processors, what lawful bases were in place, and whether any notifications were required -- are questions that would need to be resolved on the actual evidence. This article does not make those determinations. What it does note is that the data protection dimension has received essentially no coverage, and that it is analytically distinct from the civil claim and potentially significant in its own right regardless of the civil outcome.
This angle matters beyond the immediate dispute. Any SaaS platform that holds personal data about third parties -- not just about its own registered users, but about individuals who interact with its clients -- needs to have mapped that data, understood the lawful basis for holding it, and established a clear incident response process for unauthorized access events. The same structural question applies to healthcare CRMs, HR platforms, legal practice management software, and any other SaaS environment where end-users generate personal data about third parties in the ordinary course of their work. The breach of confidence claim gets the headlines. The data protection dimension is worth watching as this case progresses.
This Is Not a New Tactic -- It Is an Evolving One
The Infloww case is notable, but it does not exist in a vacuum. UK courts have been developing a robust body of case law around emergency injunctions following cyber incidents since at least 2020, and the trajectory is toward expanding, not restricting, that relief.
In 2022, the Ince Group obtained an emergency injunction from Mr Justice Saini -- the same judge -- after ransomware attackers threatened to publish stolen data on the dark web unless they received a substantial ransom. Saini J described it as a "clear blackmail case" and granted both prohibitory and mandatory injunctions, the latter requiring the attackers to delete and destroy the stolen information. That case, Ince Group Plc v Person(s) Unknown [2022] EWHC 808 (QB), established that courts would move quickly and decisively when stolen data was at risk of imminent harm -- even against anonymous defendants.
In 2023, Armstrong Watson LLP secured a permanent injunction against unknown ransomware attackers following a similar playbook, with Cooley (UK) LLP analyzing the outcome and noting that courts found a high risk the defendants would persist with threats of unlawful disclosure unless clearly restrained. Armstrong Watson was represented by DAC Beachcroft LLP. Cooley wrote about the case because this line of precedent directly informs the firm's work in the cyber-injunction space -- including their representation of Infloww in the 2026 proceedings. The consistency matters: the same legal architecture used against anonymous ransomware actors is now being deployed against named corporate defendants.
What distinguishes the Infloww case from these precedents is the identity of the alleged attacker. Prior high-profile UK injunctions in the cyber context have predominantly been against "persons unknown" -- anonymous ransomware groups or dark web actors whose identities were unknowable at the time of the emergency application. In the Infloww case, the defendants are named, incorporated companies and identified individuals. The alleged conduct was not motivated by extortion. According to the claimant's case, as accepted as arguable by the court, it was motivated by competitive advantage -- using exfiltrated operational data to approach and win over the victim's agency clients. That shift -- from criminal extortion to alleged commercial theft by a named competitor -- represents the next evolution of this threat category.
The International Bar Association has noted that as law firms and businesses increasingly digitize their operations, they become prime targets for attackers who understand the commercial value of their data. The legal frameworks that were developed to respond to ransomware and extortion are now being applied to a threat actor profile that looks nothing like a traditional criminal hacker -- it looks like a competitor with a product roadmap and a legal address.
The Computer Misuse Act Problem Nobody Is Fixing Fast Enough
The article coverage of the Infloww case has mentioned the Computer Misuse Act 1990 as a potential parallel criminal pathway without examining an important complication: the CMA itself is under active legislative review at the moment the Infloww case is being litigated, and the outcome of that review has direct bearing on the criminal liability picture.
The CMA was passed 35 years ago, before cloud infrastructure, SaaS platforms, or API-driven architectures existed in any form. Its drafting reflects that era. Section 1 criminalizes unauthorized access to a computer system. Section 2 applies when that access is undertaken with intent to commit a further offense. Section 3 covers unauthorized modification of computer material. These provisions are deliberately technology-neutral, and that neutrality has allowed courts to apply them to conduct that the 1990 Parliament could not have imagined. But it has also created ambiguities that matter in competitive intrusion cases.
One of those ambiguities is the question of what constitutes "unauthorized" access when a competitor enters a platform through what appears to be an authenticated customer session -- which is precisely what the Infloww defendants are alleged to have done. The agencies that migrated to OnlyMonster had legitimate credentials on the Infloww platform. The defendants' position, as articulated by their legal team, is that those agencies authorized the transfer of their own data. Whether the technical access route was "unauthorized" in the CMA sense -- when it was executed through credentials that were, at the time, technically valid -- is a question that the civil proceedings have not needed to resolve but that a criminal prosecution would need to address directly.
The broader CMA reform picture adds a layer of context. In December 2025, Security Minister Dan Jarvis confirmed at the Financial Times Cyber Resilience Summit that the government is pursuing statutory changes to the Computer Misuse Act to provide explicit protection for security researchers and penetration testers. The reform effort has been years in the making: prior attempts to amend the Act failed in the Lords committee in December 2024 when Science Minister Patrick Vallance rejected proposed amendments on the grounds they might create loopholes for criminal exploitation. The Cyber Security and Resilience Bill, which passed its second reading in the Commons in January 2026, is the current vehicle for these changes.
The irony of the reform debate is visible in the Infloww case. Critics of the current CMA argue that it over-criminalizes legitimate security research while doing little to address sophisticated commercial intrusion. The Infloww case demonstrates exactly the kind of sustained, commercially targeted unauthorized access the Act was designed to address -- but the civil route was faster, more targeted, and produced more immediately useful remedies than a criminal referral would have. Criminal prosecution under the CMA in a cross-border case involving defendants in England, Cyprus, and Ukraine, with an underlying commercial dispute about platform migration rights, would take years and require a level of prosecutorial resource that does not match the civil injunction's speed. For companies facing competitive cyber espionage, the civil pathway may continue to be the primary strategic tool -- not because the criminal law is inadequate in principle, but because the institutional machinery for using it effectively in commercial contexts has not yet caught up with the threat.
The People the Coverage Forgot: The Fans Themselves
Every piece of coverage of the Infloww case -- including many sophisticated legal analyses -- has framed the dispute as a contest between two businesses. That framing is understandable, because the litigation is a commercial dispute brought by one company against another. But it largely overlooks a category of people who have no representation in these proceedings: the subscribers whose personal data forms the core of the contested material.
The fan notes described in the judgment are not abstract records. They document real, identifiable individuals -- named subscribers like "Brian," "Bruno," and "David" -- with information about their finances, their family situations, their military service, and their behavioral patterns, compiled specifically to optimize engagement during commercial interactions with content creator accounts. Under data protection frameworks applicable in the UK and EU, individuals whose personal information is processed in this way are data subjects with legal rights, including rights of access, rectification, and in certain circumstances erasure.
What the case surfaces -- separate from the civil dispute itself -- is a broader structural question about how personal data generated within subscription platform ecosystems is treated. The subscribers interacting with creator accounts almost certainly did not know detailed profiles were being built and stored about them by third-party agencies. Whether the companies involved in this ecosystem had appropriate lawful bases for that profiling, and what obligations may have been triggered by the alleged unauthorized access to that data, are questions that data protection regulators -- rather than a commercial court -- are better positioned to assess. Those questions exist independently of who wins or loses the civil case.
The data protection dimension of this case -- the rights of the individuals whose information sits at the center of the commercial dispute -- has received essentially no coverage. That is a gap worth noting, because regulatory scrutiny of data practices in platform ecosystems is increasing, and the structural issues the Infloww case surfaces are not unique to this industry.
The fan notes in dispute contain financial data, personal circumstances, and behavioral profiles of identified individuals who interacted with creator accounts. Under the UK GDPR and EU GDPR, individuals in that position are data subjects with legal rights. The civil proceedings address the rights of the platform and the competing companies. The rights of the individuals whose data is at the center of the dispute are a separate analytical question -- one that data protection regulators are positioned to engage with independently of the court outcome.
The Bigger Picture: SaaS Platforms as Espionage Targets
The cybersecurity industry has spent years focused on endpoint security, network defense, and ransomware resilience. What the Infloww case illustrates is a threat vector that receives considerably less attention: the SaaS platform as a target for competitive intelligence theft.
Consider what a well-populated CRM platform contains. It holds customer behavioral data, sales patterns, communication histories, pricing information, and operational workflows that took years to develop. In many industries, that data is more valuable to a competitor than any single piece of source code. A competitor with access to your CRM data does not need to reverse-engineer your product -- they already know your customers better than some of your own team members do.
This is not theoretical. The web scraping market -- which encompasses everything from legitimate data aggregation to the kind of unauthorized extraction alleged in this case -- was estimated at over USD 1 billion in 2024, projected to reach USD 2 billion by 2030 according to Mordor Intelligence. As the same industry report notes, the line between competitive intelligence and corporate espionage is defined by intent and authorization, not by the technical method. The same crawler code can serve legitimate business analysis or unauthorized data theft depending entirely on whether the operator had permission to access the target system.
The SaaS security threat surface has also expanded dramatically through integration ecosystems. A 2025 year-in-review of SaaS security incidents found that one of the year's significant breaches involved threat actors exploiting OAuth tokens from a third-party integration to move laterally across hundreds of customer environments -- without exploiting any vulnerability in the traditional sense. The CrowdStrike 2026 Global Threat Report documents that cloud-conscious intrusions rose 37% in 2025, with valid account abuse accounting for 35% of cloud incidents -- and that 82% of all detections were malware-free, as adversaries operated through valid credentials, trusted identity flows, and approved SaaS integrations. The average eCrime breakout time -- the window between initial access and lateral movement -- dropped to 29 minutes in 2025, down from 48 minutes the year before, with the fastest recorded breakout clocking in at 27 seconds. IBM's 2026 X-Force Threat Intelligence Index similarly found a 44% increase in attacks beginning with the exploitation of public-facing applications, and notes that large supply chain and third-party compromises have nearly quadrupled since 2020. The CrowdStrike report's core observation applies directly to the Infloww situation: adversaries exploited the visibility gaps created by fragmented security controls across identity, SaaS, and cloud, chaining together access paths to stay off well-protected endpoints. Security teams that monitor endpoints obsessively often have little visibility into how data flows through integrated platforms -- or how much of it leaves through what look like legitimate sessions.
In the Infloww case, the alleged access was not through an integration -- it was direct server intrusion. But the underlying principle is the same. Attackers who want your operational data do not need to compromise your endpoints, your email, or your identity provider. They need to find a way into the system where your most valuable business intelligence lives, and increasingly, that system is a SaaS platform with an API surface, a browser-based interface, and authentication credentials that may not be as hardened as the rest of your security stack.
The financial stakes in trade secret and data theft cases have also escalated sharply. In the United States alone, recent jury awards in trade secret misappropriation cases have reached extraordinary levels -- a Fifth Circuit ruling in late 2025 affirmed USD 56 million in compensatory damages and USD 112 million in punitive damages against Tata Consultancy Services for misappropriating trade secrets from Computer Sciences Corporation, along with a permanent injunction and a ten-year monitorship. A California jury awarded USD 604.9 million in a trade secret case involving confidential data and proprietary business intelligence. The message from courts on both sides of the Atlantic is consistent: stealing a competitor's data to gain commercial advantage is not a gray area, and the penalties are not a cost of doing business.
What Security Teams Should Take From This
The Infloww case is a practical case study in several things that security teams frequently underinvest in. First, access logging and anomaly detection at the application layer. The defendants allegedly conducted intrusions over a period of nearly twelve months -- from December 2024 through November 2025. A sustained intrusion campaign of that duration, targeting specific data categories rather than performing broad system disruption, should generate detectable patterns in application logs: unusual query volumes, access from unexpected IP ranges, data exports that do not correspond to known user behavior. Whether those patterns were present and undetected, or simply absent from the victim's monitoring stack, is not known from public filings -- but the duration of the alleged campaign suggests the access was not immediately obvious.
Second, the case reinforces the importance of treating operational data -- CRM records, subscriber analytics, proprietary reporting -- as a protected asset class, not just as business data. Many organizations invest heavily in protecting source code and employee personal data but treat customer behavioral data as a secondary concern. In an industry where that data represents years of accumulated competitive intelligence, the calculus is different.
Third, and perhaps most importantly from a legal response perspective, the case demonstrates the value of moving fast when unauthorized access is suspected. Infloww's legal team secured an emergency injunction before the defendants had any opportunity to delete, relocate, or further distribute the allegedly exfiltrated data. The swift legal response -- combined with the parallel US filing months earlier -- suggests the company had either developed an incident response plan that included legal escalation, or received skilled counsel quickly after discovering the breach. Either way, the speed of the legal response preserved options that would not have existed if the company had waited.
Deeper Solutions: What "Protecting SaaS Operational Data" Actually Requires
Generic advice about access controls and anomaly detection is a starting point, not an answer. The Infloww case points toward a more specific set of technical and organizational requirements that go substantially further than most organizations have implemented.
The first is behavioral baselining at the customer account level, not just at the user level. Many UEBA (User and Entity Behavior Analytics) deployments in SaaS environments monitor employees and system administrators. Almost none apply the same behavioral modeling to API calls and data access originating from customer-facing sessions. In the Infloww case, the alleged intrusion used what appears to have been authenticated access -- entering through systems that were designed to accept connections from agency accounts. Defending against that requires knowing what "normal" looks like for each customer account at a granular level: which queries they typically run, how much data they typically export, what time of day they typically access the platform, and what IP ranges are consistent with their operational geography. Deviations from those patterns should generate alerts, not just log entries.
The second is rate limiting and export throttling on data-intensive endpoints. CRM platforms by design expose bulk data through their query and reporting interfaces. An agency legitimately managing hundreds of creator accounts will generate substantial query volume. But there is a difference between the query patterns of an agency managing accounts and the query patterns of a party systematically extracting an entire database. Rate limiting that is calibrated to legitimate use cases -- and that automatically flags or throttles sessions that exceed them -- would have created friction for the kind of sustained bulk extraction alleged in this case, even if it would not have stopped it entirely.
The third is contractual data classification from the start. One of the central unresolved questions in this case is who owns the fan notes and scripts -- the platform, the agencies, or the creators. That question exists because the contracts between Infloww and its agency clients apparently did not clearly resolve it. Every SaaS vendor operating with enterprise or agency customers who generate significant operational data on their platform should have contract language that explicitly classifies derived analytics, platform-generated intelligence, and any data processed by the platform's own systems as the platform's proprietary information, separate from the raw customer-inputted records that customers may have portability rights to. Clear contractual classification does not guarantee a court outcome, but it enormously strengthens the argument that platform-generated analytics constitute trade secrets deserving protection.
The fourth is a documented, practiced incident response playbook that includes a legal escalation path as a first-class action, not a last resort. The speed of Infloww's legal response was clearly instrumental in getting an injunction in place before evidence could be destroyed. Organizations that have not pre-identified outside counsel with cybercrime and commercial litigation expertise, and have not established a clear decision-making process for when to escalate to litigation, will lose weeks negotiating engagement letters at exactly the moment when speed is most critical. The playbook does not need to be complex, but it does need to exist and to have been exercised.
Fifth, parallel jurisdiction awareness should be part of incident response planning for any company with cross-border operations or cross-border counterparties. Infloww filed in the Eastern District of Virginia in September 2025 and in the UK Commercial Court in December 2025. The multi-jurisdiction approach is not just about maximizing legal options -- it is about ensuring that a defendant cannot evade consequences by moving data or operations across a border that only one court can reach. Understanding in advance which jurisdictions are relevant to your threat model, and having counsel in those jurisdictions already identified, transforms a reactive crisis into an executable response.
Sixth, and this is the angle that many security teams have not yet operationalized: identity assurance is not the same as authentication. The CrowdStrike 2026 Global Threat Report's central observation about malware-free intrusions applies with particular force to the competitive espionage model. When an adversary enters through what appear to be valid credentials -- whether stolen, shared, or obtained through a social engineering approach to a legitimate account holder -- traditional authentication controls provide zero protection. What the Infloww case illustrates is that the question security teams need to be able to answer is not "is this credential valid?" but "does this behavioral session make sense for the entity this credential belongs to?" That is a meaningfully different question, and answering it requires behavioral analytics applied to SaaS session data with the same rigor that modern EDR platforms apply to endpoint telemetry. Session duration, query volume, data export size, time-of-day patterns, geolocation consistency, and the combination of resources accessed in a single session are all signals that can distinguish a legitimate account holder from someone operating through that holder's credentials. Treating authenticated access as inherently authorized -- rather than as a signal that requires continuous contextual validation -- is the design assumption that made twelve months of alleged undetected intrusion possible.
Cooley (UK) LLP has written that judgments of this kind give cyber-attack victims a strategic litigation tool to prevent the onward sale or disclosure of stolen information — functioning as an additional layer of defense where technical controls have already failed. Read the full analysis at Cooley (UK) LLP.
Key Takeaways
- Competitive espionage via server intrusion is a real and growing threat: The Infloww case is not an isolated incident. It reflects a threat actor profile -- direct business competitors using unauthorized access for commercial intelligence gathering -- that sits outside traditional cybersecurity threat modeling but is fully prosecutable under both criminal computer misuse law and civil trade secret frameworks.
- UK courts will move fast and hit hard when data exfiltration is credibly alleged: The body of case law around emergency injunctions following cyber incidents has expanded steadily since 2020. The Infloww ruling confirms that these remedies are available not just against anonymous ransomware actors, but against named corporate defendants. The additional orders requiring a sworn affidavit on the scope of data taken are a powerful enforcement tool that companies in similar situations should pursue.
- Parallel jurisdiction strategies matter: Infloww filed in US federal court in Virginia in September 2025 and secured a UK injunction in December 2025. Operating in multiple legal systems simultaneously is complex, but for companies with cross-border operations or cross-border attackers, it may be the only way to effectively contain the damage.
- SaaS platforms need application-layer monitoring, not just perimeter defense: An intrusion campaign allegedly sustained for nearly a year against a SaaS platform's data layer is a failure of detection, not just prevention. The CrowdStrike 2026 Global Threat Report documents that SaaS applications -- including CRM and collaboration platforms -- are now high-value targets for data discovery and exfiltration, and that 82% of detections involve adversaries operating through valid credentials rather than malware, with average eCrime breakout time now 29 minutes -- down from 48 minutes in 2024. Authentication is not authorization. Behavioral analytics at the session level is the detection layer this threat requires. Honey trap accounts are an underused complement to it.
- Operational data is a trade secret, not just business data: Customer behavioral data, subscriber analytics, proprietary reporting, and accumulated CRM intelligence are competitive assets that warrant the same legal and technical protection as source code or R&D documentation. If that data would give a competitor a meaningful commercial advantage, it qualifies for trade secret protection -- and that protection starts with treating it like one.
- The data ownership question is unresolved -- and it matters for every SaaS vendor: Whether fan notes and scripts belong to Infloww, the agencies, or the creators remains to be decided at trial. But the case has already established that the analytics and reporting data generated by the platform itself is the platform's confidential property. SaaS vendors with enterprise or agency clients who generate significant operational data on their infrastructure should have explicit contractual language resolving data ownership now -- not after a competitor has already taken what they believe is theirs.
- Data protection law runs parallel to the civil claim -- and much of the coverage has missed it: The fan notes at the center of this dispute contain names, ages, financial details, and behavioral profiles of identifiable individuals. That data is personal data on its face under both the UK GDPR and EU GDPR. The data protection questions that flow from the alleged unauthorized access to that data -- lawful basis, controller and processor responsibilities, notification obligations -- are analytically distinct from the commercial claim and would be assessed by regulators independently of the civil outcome. Any SaaS platform holding personal data about third parties needs a data protection posture that matches the sensitivity of what it actually holds.
- The CMA reform timeline creates uncertainty for criminal prosecution pathways: The Computer Misuse Act 1990, under active legislative reform at the time this case is being litigated, contains ambiguities around authenticated-but-unauthorized access that any criminal prosecution would need to navigate directly. For now, the civil route has proven faster, more targeted, and more immediately effective for competitive espionage scenarios. Organizations should plan their incident response around civil escalation as the primary tool, with criminal referral as a secondary option requiring specialist advice.
- The individuals whose data is at stake have rights the civil proceedings do not address: The subscribers whose profiles appear in the contested database are identifiable individuals with rights under applicable data protection law. The civil case addresses the rights of the competing companies. The data protection rights of the individuals whose information sits at the center of the dispute are a separate question -- one for regulators rather than commercial courts, and one that has received essentially no public attention in the coverage of this case.
The trial in Infinni Innovations v OFMS Limited has not yet occurred. The injunction is interim -- it will remain in place while the case proceeds, but the full factual record, including how the defendants allegedly accessed Infloww's systems and what they did with the data, will be tested at trial. What the court has confirmed so far is that there is a serious issue to be tried, that the evidence of exfiltration is credible enough to justify ongoing restraint, and that the defendants' explanations -- as the judgment at paragraph 16 records -- did not satisfy the court at the interim stage. Five unresolved questions will each carry weight beyond this case: how the alleged intrusion was technically executed; who actually owns the fan notes and scripts as between platform, agency, and creator; what data protection questions flow from the alleged exfiltration of personal data about identifiable subscribers; whether the platform migration defense creates a general authorization pathway that competitors could invoke in similar SaaS environments; and whether the Computer Misuse Act, under active reform as this case proceeds to trial, will prove an effective criminal complement to the civil framework or an instrument too blunt for the commercial context. Whatever the trial ultimately produces, the case has already moved the conversation in a direction the industry needed: that a competitor with a legal address and a product roadmap can be an adversary in the full cybersecurity sense of that word, and that the legal and technical infrastructure for responding to that threat is less ready than it should be.