Criminalizing the Crime: Punishing Data Theft
A convicted hacker in Turkey received a 334-year sentence for data theft, while a UK official calls for stronger sentences there.
Three hundred thirty four years – that’s how long a 26 year old Turkish national, Onur Kopçak was sentenced by a court in that country for his role in a cyber criminal operation that used a host of malicious web sites to “phish” or steal login credential for banking web sites. This, as reported by the website ZDNet and by local media in Turkey.
The sentence, handed down by Turkey’s Criminal Court of Appeals, was greeted with protest. It stems from a 2013 case involving attacks on 11 banks that affected some 43 customers.
Harsh justice is nothing new in Turkey. But the case against Kopçak obscures the fact that, in many countries, the crime of data theft most often is met with light or suspended sentences and monetary fines – not hard jail time.
The famous "Turkish Prison" scene from Airplane.
That’s the case in the UK, where that country’s Information Commissioner, Christopher Graham, is calling for the government to overhaul its laws related to the theft of personal data. Graham’s casus belli is the case of Sindy Nagra, a 42 year old administrative assistant at an Enterprise Rent-A-Car. Nagra stole and then sold customer records on some 28,000 individuals for £5,000.
After an investigation uncovered her crimes, she was fined just £1,000 and ordered to pay roughly another £1,000 in court costs and surcharges for her crime. Under Section 55 of the UK’s Data Protection Act, courts can issue unlimited fines for the offense of data theft, but not custodial sentences.
In the U.S., a handful of marquis cases involve wholesale data theft from retailers like TJX and Home Depot. Albert Gonzalez, a serial thief and criminal hacker, received two (concurrent) 20 year sentences as the ringleader of hacks against TJX, Heartland Payment Systems, BJ’s Wholesale Club, DSW, Office Max, Barnes and Noble and other retailers.
David Ray Camez, who operated the carder.su website, was sentenced to 20 years by a federal court in 2014 under the U.S.’s RICO anti-racketeering law.
But those big cases obscure the long tail of much lighter sentences for hackers, data thieves, malicious software authors and the like. Just this month, for example, a federal judge in Manhattan sentenced a Latvian computer hacker to time served after less than two years behind bars. Deniss Calovskis was charged with helping to create the Gozi virus, a kind of banking Trojan linked to widespread theft. He extradited to the U.S. Here, he pled guilty to one charge of conspiracy to commit computer intrusion and was sentenced to two years behind bars, before having that sentence reduced.
On Tuesday, U.S. Federal Judge Kimbra Wood said that despite the seriousness of the crime, Mr. Calovskis had “already been adequately punished after spending 10 months in a Latvian prison and 11 months in a U.S. prison following his 2012 arrest,” the Wall Street Journal reported. Mr. Calovskis’ “unusual individual characteristics will not…cause others to follow in his footsteps by my not giving him a longer sentence,” she said.
That may be a true observation – and also beside the point. What is clear is that there has been no let up in the frequency of online crimes. If anything, cyber crime is becoming more common and more costly. It would be an overstatement to say that harsh prison sentences would stem the growth of crime – especially when so much online crime happens in jurisdictions other than those where the trials occur.
And these cases overlook the enormous number of small-scale leaks and data thefts happening on corporate networks all over the world. Many of these go unreported and the culprits never face criminal charges.
It’s not too much to say (in my opinion) that clarifying the laws regarding the punishment for different types of cyber crimes, modernizing those laws to capture the diversity of modern, online criminal behavior and harmonizing those laws across countries would make it much harder for any cyber criminal to kid themself that they are beyond the reach of the law. Inserting the real specter of law enforcement kicking down the door wouldn’t dissuade hardcore criminals like Gonzalez. But, in many cases, it may introduce enough of a deterrent to stay the hand of naive, would-be hackers like Calovskis.
Speaking at a recent conference, former NSA Director Michael Hayden said that the U.S. desperately needs to modernize its cyber crime laws, updating the moth eared CFAA (Computer Fraud and Abuse Act) while also making clear that some hostile acts, committed online, may be treated as acts of war and handled under the laws of armed conflict.
Paul F. Roberts is the Editor in Chief of The Security Ledger and Founder of The Security of Things Forum.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business