Judge does not impose a punishment on IT that was prosecuted after reporting data breach




The District Court of The Hague did not impose a penalty on a 45-year-old IT member who had filed a complaint after discovering a data breach on the site of the Central Bureau for Genealogy. He reported this leak via whistleblower platform Publeaks, after which Tweakers published about it.

In the judgment , the judge writes that there is a question of computer breakthrough and that the man can not rely on his actions being identifiable as ethical hacking. Nevertheless, the court has decided not to impose a punishment and to use a provision in the law that allows this. The motivation for this decision is that the man had no bad intentions, that he did not use the data from the database for his own gain and that he served a social interest, which the judge designates as ‘the security of personal data’. The it’er also participated in the research from the beginning.

The court further writes: “The court furthermore takes into account in favor of the suspect that the handling of his criminal case has exceeded the reasonable time limit, which means that the suspect must have been in uncertainty about the outcome of the case for too long. the defendant stated that he had suffered in personal and business terms, and also related to the major impact that the search of his home and his arrest had on him and his family. ” In addition, the man has not been in contact with the law before and after the incident.

In this judgment, the court first comes to the conclusion that there is a question of computer intrusion. For example, the man would have used ‘false signals’, one of the requirements for this offense, to enter the server of the Central Bureau for Genealogy. The judge refers to research conducted by Fox-IT, which shows that a file was present on the MEB’s web server, called pictura.php, which gave access to records in the database. That file was explicitly excluded in the robots.txt file, which also showed its existence. In the robots file the sentence: disallow: / pictura.php # was used to access the friends database .

The judge sees the explicit exclusion of the php file as an indication that the MEB did not want this file to be found. “From this it can be deduced that the administrator wanted pictura.php to be requested only in a manner to be determined by [injured]”, the statement states. Furthermore, the court writes: “In the foregoing, the court sees – in the legal sense – a minimum form of security, namely a known threshold so that unauthorized persons can not simply access the pictura.php and the underlying database. pictura.php with the command ‘disallow’, on the other hand by requesting the entry of a valid id when requesting it. ”

By entering these identifiers and then retrieving a large amount of data from the database, the man would have “unlawfully gained access” to the database. Then the judge returns to the requirement of ‘false signals’. Because the administrator of the server had not taken into account that others had access to the database in this way, but the it’er had done so, there is this kind of signals. “By requesting the pictura.php script as a non-copyright owner and entering a valid id – and thus giving the web server” any sign “- the defendant has provoked a result – returning a record to a non-copyright owner. entitled party – to which the web server offered the possibility, but with which the manager had not taken into account. ”

Then an appeal to ethical hacking does not succeed, because the judge has not acted proportionately by bringing in the entire database, according to the judge. He also had to report the leak to the organization himself instead of to a whistleblowing platform, which meant that he had not acted in the alternative. The judge does not rule out a compensation of more than 20,000 euros as required by the MEB, because this is the civil court.

Tweakers published a report about the leak in 2015, after having received the information via Publeaks and having informed the MEB. Recently it became apparent that the reporter was being prosecuted for his computer intrusion and that the Public Prosecutor demanded 120 hours of community service. Another factor was that the ITER had downloaded the entire database from the MEB with a script. That was not disputed in the current case according to the judge. The database contained data such as name and address details, bank account numbers and e-mail addresses of 80,000 people.


In: A Technology & Gadgets Asked By: [22628 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »