Cybercrime: Data breach – hackers at work

Almost every day, media report about breaches of essential databases. This year in Poland, there was a lot of coverage about a hacking attack (although it would be more precise to say “cracking attack”) and accessing personal data collected in databases of such websites as Cyfrowe.pl, Exerion.pl, okno.pw.edu.pl (database of Warsaw University of Technology) and KSSIP.GOV.PL (database of the National School of Judiciary and Public Prosecution). The problem with breached databases is not unique in Poland – it is present in the whole world. Just a few days ago, media reported on a successful hacker attack on the New York law firm Grubman Shire Meiselas & Sacks, which serves, among others, well-known artists and athletes. The data about the celebrities that were breached by the hackers may contain, among others, information about their contracts, classified agreements, phone numbers, e-mail addresses and private correspondence.

As the above example shows, hacking activities may aim at accessing various information gathered on servers scattered around the world, including on the so-called on-line clouds. Very often hackers extract such data as name, email address and password, telephone number, bank account number. It is also sometimes the case that hackers manage to steal more sensitive data, such as identity card number or credit card number. In other words, these are the information that we usually make available, for example, when registering for a website and using Internet services. Poor or even complete lack of security as well as system vulnerabilities or human errors constitute some fuel for hackers. Meanwhile, despite the nature of the problem and the frequent information about hacking attacks, many entities and institutions ignore the problem and do not plan for cybersecurity in their budgets, living in the false belief that the problem will never concern them.  

The motives underlying hackers’ attacks are different. Sometimes it is a matter of publicity and increasing one’s reputation in the hacking community, which is most often associated with making the acquired data public on the web. Another motive is the desire to make certain financial profits, which means that the data obtained by hackers is not published (at least temporarily), but is sold or used for their own purposes. For example, a so-called combolist consisting of records in the form of an e-mail address and password can be used to access popular websites. Sometimes hackers use the data for blackmail, as in the example of the aforementioned New York law firm, where hackers demanded a ransom in exchange for not publishing information about the celebrities. Often in this type of attack, hackers use ransomware that blocks access to the data by encrypting it. Retrieval of stolen and encrypted data is possible only after paying the ransom.

From the point of view of the Polish law, the above behaviour is naturally a prohibited act. For example, “hacking” into the database of an Internet service to obtain data on its users will be qualified under Article 267 § 2 of the Criminal Code, which provides for a penalty of up to 2 years of imprisonment for this type of activity. The use of ransomware to encrypt data for ransom may, in turn, be considered an offence described in Article 268a of the Criminal Code, which provides for a sentence of up to 5 years of imprisonment in the event of substantial material damage. On the other hand, the very creation of a tool (a computer program) for obtaining data collected in databases exposes one to the threat of criminal liability for the act under Article 269b of the Criminal Code. This provision provides for a sentence of up to 5 years of imprisonment. As can be seen from the above, the penalties for criminal hacking activities can be relatively high.

In theory, you can check whether your e-mail and password have been leaked and you can use search engines for this purpose (e.g. haveibeenpwned.com), although using them can be risky. Therefore, if you have a suspicion that your e-mail has been used for hacking activities, it is best to start with changing your password, and also changing it wherever you have used the same e-mail and password during registration.

Attorney at law Michał Korszla