A cyber scene of crime – in everybody’s home

1 November 2016 by

cybercrime-100534917-primary-idgeThis blog has covered a number of claims for damages arising out of the misuse of private information. The Mirror Group phone hacking case is one example (see my post here and the appeal decision here), and the fall-out from the hapless Home Office official who put private information about asylum-seekers on the Internet, being another – (Gideon Barth’s post on TLT here). See also below for related posts.

But this post is to give a bit of context, via the wider and scarier cyber crime which is going on all around us. It threatens the livelihoods of individuals and businesses the globe over – and has given and will undoubtedly give rise to complex spin-off litigation.

So let’s just start with the other week. On 21 October 2016, it seems nearly half the Internet was hit by a massive DDoS attack affecting a company, Dyn, which provides internet services infrastructure for a host of  websites. Twitter, Reddit, Netflix, WIRED, Spotify and the New York Times were affected. DDoS, for cyber virgins, is Distributed Denial of Service, i.e. an overloading of servers via a flood of malicious requests, in this case from tens of millions of IP addresses. No firm culprits so far, but a botnet called Mirai seems to be in the frame. It is thought that non-secure items like cars, fridges and cameras connected to the Internet (the Internet of Things) may be the conscripted foot soldiers in such attacks.

And now to the sorts of cases which have hit the headlines in this country to date.

On the non-criminal side, so far, things tend to surface via the enforcement of data protection laws. After all, companies don’t like announcing to the world that they have been hacked, so regulation (rather than conventional litigation) brings out the more egregious examples.

Top of the current tree in the UK, is TalkTalk, who, on 5 October 2016,  was fined a record £400,000 for failing to implement “the most basic cyber security measures” on its website, as the Information Commissioner put it – see here. A hacker had released personal data on 156,959 customers, including, in 10% of these cases, their bank account details.  The key to the hefty fine was, unsurprisingly, the release of bank details. TalkTalk’s database software was out of date and no longer supported by the provider. The sequel: the hacker is alleged to have demanded 465 bitcoins  (worth about £216,000) after the attack: see here. He and co-defendants are before the courts at the moment.

For a list of the companies (as well as NHS Trusts and, ahem, a police force) whose collars have been metaphorically felt by the ICO, see their naming and shaming here. Note from the list that 545 new cases sit in the ICO’s inbox.

But then all this might seem like peanuts, compared to the Yahoo hack (happened in 2014, reported in September 2016(!)) affecting 500 million customers – see the helpful Telegraph graphic here giving some other big numbers in recent years, including Myspace’s 360m reported earlier this year. Not perhaps coincidental that the Yahoo hack was revealed as due diligence proceeded on Yahoo’s impending sale to Verizon.

The civil litigation which has emerged tends to be emergency injunctions obtained by the hacked to stop the hacker disclosing information – if you are lucky enough to trace the hacker in time. An example is British Pregnancy Advisory Service v. The Person Using the Alias “Pablo Escobar” here – interim disclosure order made the morning after 26,000 attempts to get into BPAS’s website. To a devoted Narcos watcher, that seems like a good alias, mixing ruthlessness and self-obsession with a squeeze of anarchism.

With some helpful links provided by William Harbage Q.C. and his specialist criminal team at 36 Bedford Row (here for their cyber work), and a full database (here) courtesy of Cambridge academic Alice Hutchings, we can see these and other cases which have hit the criminal courts.

A notorious group of “hactivists”, Ackroyd, Davis, Al-Bassam and Cleary, operated under the name of LulzSec – their motto “Laughing at your security since 2011”. For a full account of their antics, see the Wiki entry here. Their attacks involved the CIA, the FBI, Sony and Nintendo. They stole information and posted it unencrypted on filesharing sites like Pirate Bay. They also initiated DDoS attacks. But they in turn were busted, ending up before Southwark Crown Court in 2013, and were given up to 32 months imprisonment for offences under the Computer Misuse Act 1990.

Or what about Charlton Floate, from Solihull, who caused the Home Office website to crash via Malware infected computers, and did the same to a FBI crime reporting site (when a mere 16 years of age)? The latter was widely celebrated on a hackers’ forum. He also hacked into the Hillsborough Independent Inquiry Panel site. But he was not entirely sophisticated about his own security, as he was “spotted” when he used his own IP address to check how effective his mayhem had been. He received a suspended sentence from Birmingham Crown Court in 2015.

Unsurprisingly, most defendants in this field are hardly out of short trousers – contrast Sullivan, a Merseyside “father of 6”, aged 51, who ended up with 34 weeks in prison for assorted DDoS attacks. His targets included the Conservative Party, British Airways and various banks. His own fatal exception error – announcing the attacks on a Twitter account to which he could be linked.

Then there was Neale, who appeared in Guildford Crown Court in 2015, on a revenge cybercrime. He was the  ex-director of a cyber-security software company who hacked into his erstwhile company’s systems in order to undermine them. He ended up being sentenced to 18 months imprisonment.

Finally, Martin who ended with 2 years inside for repeated attacks on Oxford and Cambridge University websites (see his unsuccessful appeal against sentence here) and on individuals. A rather typical triumphalism can be found in his case, as in a lot of these cases. So he emailed Oxford –

You Just Don’t f***** learn”.


I have owned you once before (DDOS attack about six to seven months ago?) and I am going to do it again along with Cambridge. I have access to your SQL users and password database, they are encrypted as you obviously know but it won’t take long and by the time you have read this message I will have sold the two databases and what is needed to have been done will have been done.

Despite the last, Martin does not in fact appear to have been motivated by the money – his only profit from all this activity one Domino’s pizza obtained using the account details of his then employer.


Just a few stories drawn out of the mass of cases out there. Many more to come, as we must be right at the beginning of the upsurge of cases, criminal and civil. And we should not ignore public law spin-offs – see here, for a relatively recent Malware dispute involving PhonePayPlus. That is before we get to insurers who cover (or may be said by their unfortunate insureds to cover) such corporate disasters.

My thanks to William Harbage Q.C. of 36 Bedford Row and Claire McGregor of 1 Crown Office Row for their comments on earlier drafts.

Sign up to free human rights updates by email, Facebook, Twitter or RSS

Related posts


  1. daveyone1 says:

    Reblogged this on World4Justice : NOW! Lobby Forum..

  2. Ex-Conservative Voter says:

    I think the DWP, HMRC and local government benefit offices have been hacked, and are using hacked information to prosecute people who aren’t guilty too, but who would be able to prove it?

  3. Ex-Conservative Voter says:

    People who work online and claim benefits are being prosecuted as we speak for failing to declare income that isn’t theirs , when their internet providers, software suppliers and banks keep schtum about data hacks and money going through their accounts isn’t theirs, and are finding it so impossible to make head or tail of their accounts, but can’t find solicitors to help because they dont understand computer fraud. Most are being advised to plead guilty to crimes they havent committed, or cutting out the middlemen and taking overdoses while they can still make purchases online.

Comments are closed.

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals Anne Sacoolas anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board care homes Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus coronavirus act 2020 costs costs budgets Court of Protection covid crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy diplomatic relations disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control hague convention Harry Dunn Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy procurement Professional Discipline Property proportionality prosecutions prostituton Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation refugee rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism The Round Up tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Weekly Round-up Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: