Hacking in the headlines and relevant Irish Law Posted by John on 16 September 2015


A Russian citizen, Vladimir Drinkman, has admitted to plotting the largest international hacking and data breach scheme ever prosecuted in the United States. Accused of masterminding a hack which stole more than 150 million credit card numbers, Drinkman pleaded guilty this week in a New Jersey federal court to one count of conspiracy to commit unauthorised access of protected computers and one count of conspiracy to commit wire fraud.

The charges involve cyber attacks which have resulted in hundreds of millions of dollars in losses. Drinkman was extradited from the Netherlands in February of this year following a six-year campaign to bring him to justice. He and four co-defendants are accused of breaking into the networks of the Nasdaq Stock Exchange, 7-Eleven and other companies that receive and transmit financial data. Three of the five alleged hackers are still at large while one is in US custody. They allegedly specialised in penetrating networks before mining the compromised systems in order to retrieve credit card numbers which were then sold for up to $50 each. 

It is the largest data breach crime prosecuted by US authorities, which are now co-operating with international counterparts so as to combat increasing numbers of cyber attacks. Drinkman, who will be sentenced in January, faces up to 30 years in prison.

At present, Ireland has no unequivocal legislation for computer-related crime. The law in Ireland is rather a combination of various statutory provisions that have been modified to address cybercrime. The Data Protection Acts 1988 and 2003 and the Postal and Telecommunications Services Act 1983 both provide for sanctions in the event of certain misuse of computers. However, the principal Acts that pertain to crimes perpetuated against computers are the Criminal Damage Act 1991 and the Criminal Justice (Theft and Fraudulent Offences) Act 2001. Almost a quarter of a century old, the 1991 Act remains as the primary legal instrument of the State that addresses computer crime.

This combination of ill-fitting, comparatively-antiquated legislation is entirely at odds with the very nature of technology and how it affects users. It is disappointing therefore that such recalcitrance continues during such an important era. Moreover, the Internet is constantly evolving and maturing in order to suit cultural needs so it is imperative that appropriate legal controls are effected so as to promote confidence and stability amongst users. As such, the inherent limitations of the 1991 Act present a fundamental challenge to effective policing of crimes against computers and provision of appropriate safeguards for citizens who may be innocent victims of sophisticated criminal activity. Lastly, as data storage services become increasingly dependent on off-site cloud facilities and consumers select alternative means to transmit and retain data, the 1991 Act will become progressively obsolete.