Cybercrime , Fraud Management & Cybercrime , Geo Focus: The United Kingdom
Hacker Who Hit Microsoft and Nintendo: Suspended Sentence
Security Researcher Who Targeted Microsoft With Malware Also Breached VTechHack attacks that resulted in corporate Microsoft and Nintendo networks being breached and data stolen have resulted in suspended sentences for two British men.
See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR
Police say the hackers did not steal customer or financial data from either business, but did obtain in-development software and other sensitive information. Total damages as a result of the attacks were estimated to be £3 million ($4 million).
Appearing at Blackfriars Crown Court in London on Thursday, Zammis Clark, 24, of Bracknell, England, received a 15-month jail sentence after he pleaded guilty to five counts of computer hacking, including gaining access to unauthorized programs and data and uploading malicious software.
The sentence against Clark - aka "Slipstream" and "Raylee" - has been suspended for 18 months, meaning that so long as he does not reoffend in that timeframe, he will not go to prison.
Clark has also received a Serious Crime Prevention Order, which is a civil order meant to prevent or deter serious crime. Anyone who breaks such an order can receive a five-year prison sentence and unlimited fine.
Prosecutors told the court that Clark was previously responsible for hacking into the servers of "smart" toymaker VTech in Hong Kong in 2015 and accessing millions of customer accounts, the Evening Standard reported.
But VTech declined to press charges against Clark, leading to his being let off with only a police caution, the court heard.
The VTech hack resulted in 10 million accounts being compromised, as well as one year's worth of chat logs and stored photographs of children who used its toys being exposed. At the time, the alleged, unnamed hacker told Vice Media journalist Lorenzo Franceschi-Bicchierai that the hack had been accomplished by exploiting a SQL injection flaw in the VTech site.
In response to that breach, multiple U.S. states and regulators launched probes of VTech's security policies, leading to fines and settlements (see: Toymaker VTech Settles FTC Privacy Lawsuit For $650,000).
Accomplice Also Pleads Guilty
Appearing alongside Clark on Thursday, Thomas Hounsell, 26, of Lincolnshire, England, received a suspended jail sentence after he pleaded guilty to one charge of computer misuse. Hounsell, a web designer, admitted to breaching Microsoft's network with Clark.
Hounsell was sentenced to serve a six months in prison, which has been suspended for 18 months. He must also perform 100 hours of unpaid work.
Both men were arrested after investigations by England's South East Regional Organized Crime Unit, aka SEROCU, backed by Europol - the EU's law enforcement intelligence agency - as well as Microsoft's own cybercrime investigation team and the U.K.'s National Crime Agency.
Police say Hounsell conducted numerous searches of Microsoft's network from Jan. 27 to Feb. 16, 2017. "Hounsell posted non-publicly available data to his personal website, with investigators also finding Microsoft data on his digital devices following his arrest," SEROCU says.
Security Researcher Publicized Flaws
The charges against Clark were more serious, with police saying he targeted Microsoft's network from Jan. 24 to Feb. 16, 2017, stealing 43,000 files that they later recovered, as well as uploading malware, at which point the intrusion appears to have been discovered, The Verge reported.
"He published on an internet chat room the fact he had hacked into the system, and by publishing that, a number of other hackers from France, Germany, Ireland, Slovakia, the United States and the United Arab Emirates accessed the computer server," prosecutor Dickon Reid told the court, the Evening Standard reported.
Microsoft estimated that Clark and Hounsell's breach of its network led top £1.5 million ($2 million) in incident response and system overhaul costs.
Clark was first arrested in June 2017. At the time, he was working as a security researcher for security vendor Malwarebytes, for which he authored several blog posts in the first half of 2017.
"The alleged behavior happened before the individual was hired as a Malwarebytes employee," the company tells Information Security Media Group in a statement. "When we learned about the allegations we terminated his employment. Malwarebytes does not condone this type of behavior."
Police: Clark Kept Hacking
Clark has long been a security researcher. In 2015, he publicized flaws in Impero Education Pro, a widely used tool for monitoring and restricting British schoolchildren's internet use.
While Clark was being investigated by police for the Microsoft hacking - after his arrest, he'd been released with no restrictions imposed on his computer use - he continued his hack attacks, accessing private areas of Nintendo's network in 2018 between March 9 and May 23, and stealing more than 2,000 usernames and passwords, police say.
Nintendo estimated that the attack necessitated £1.4 million ($1.9 million) in incident response and system overhaul costs.
"Although Clark didn't access any personal customer information, he repeatedly demonstrated intent to gather private information in full knowledge that his actions were illegal," says Detective Sgt. Gary Hooks, who's part of SEROCU's cybercrime team.
"Cybersecurity is not a victimless crime, and Clark was aware of the investigation into the initial incident with Microsoft but continued to commit further offences. We are therefore glad to secure a conviction for both cases," he says. "Throughout the investigations we have worked closely with Microsoft and Nintendo and I'd would like to thank both companies for their continued support and cooperation throughout."
"This action by the courts in the U.K. represents an important step," Tom Burt corporate vice president for customer security and trust at Microsoft, tells ISMG in a statement. "Stronger internet security not only requires strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement. No company is immune from cybercrime."
Burt also reiterated that "no customer data was accessed, and we're confident in the integrity of our software and systems," and that Microsoft has "comprehensive measures in place to prevent, detect and respond to attacks."
Nintendo didn't immediately respond to a request for comment on the admitted hackers' sentencing.
Barrister: Clark is on the Autistic Spectrum
Clark's barrister, Charles Burton, told the court that his client is on the autistic spectrum and that he has found himself unable to stop hacking.
At the conclusion of sentencing on Thursday, The Verge reported, Judge Alexander Milne told the defendants: "I am trusting this will be a lesson from which you will all learn."
The judge said that he'd considered all the circumstances in this case before imposing the sentences. He said his decision to not impose any jail time in particular on Clark - provided he avoids further reoffending - was based in large part on the decision by Clark's mother to give up her day job so she could supervise her son's rehabilitation, and the clear toll that the ordeal had taken on their family, The Verge reported.
"The heartbreak, and I can only see it as heartbreak for his parents, comes across loud and clear," Judge Milne said. "They are to be commended."
Story updated with comments from Malwarebytes and Microsoft.