Cybercrime , Fraud Management & Cybercrime , Geo Focus: The United Kingdom

Hacker Who Hit Microsoft and Nintendo: Suspended Sentence

Security Researcher Who Targeted Microsoft With Malware Also Breached VTech
Hacker Who Hit Microsoft and Nintendo: Suspended Sentence

Hack attacks that resulted in corporate Microsoft and Nintendo networks being breached and data stolen have resulted in suspended sentences for two British men.

See Also: Webinar | Identity Crisis: How to Combat Session Hijacking and Credential Theft with MDR

Police say the hackers did not steal customer or financial data from either business, but did obtain in-development software and other sensitive information. Total damages as a result of the attacks were estimated to be £3 million ($4 million).

Appearing at Blackfriars Crown Court in London on Thursday, Zammis Clark, 24, of Bracknell, England, received a 15-month jail sentence after he pleaded guilty to five counts of computer hacking, including gaining access to unauthorized programs and data and uploading malicious software.

The sentence against Clark - aka "Slipstream" and "Raylee" - has been suspended for 18 months, meaning that so long as he does not reoffend in that timeframe, he will not go to prison.

Clark has also received a Serious Crime Prevention Order, which is a civil order meant to prevent or deter serious crime. Anyone who breaks such an order can receive a five-year prison sentence and unlimited fine.

Prosecutors told the court that Clark was previously responsible for hacking into the servers of "smart" toymaker VTech in Hong Kong in 2015 and accessing millions of customer accounts, the Evening Standard reported.

But VTech declined to press charges against Clark, leading to his being let off with only a police caution, the court heard.

The VTech hack resulted in 10 million accounts being compromised, as well as one year's worth of chat logs and stored photographs of children who used its toys being exposed. At the time, the alleged, unnamed hacker told Vice Media journalist Lorenzo Franceschi-Bicchierai that the hack had been accomplished by exploiting a SQL injection flaw in the VTech site.

In response to that breach, multiple U.S. states and regulators launched probes of VTech's security policies, leading to fines and settlements (see: Toymaker VTech Settles FTC Privacy Lawsuit For $650,000).

Accomplice Also Pleads Guilty

Appearing alongside Clark on Thursday, Thomas Hounsell, 26, of Lincolnshire, England, received a suspended jail sentence after he pleaded guilty to one charge of computer misuse. Hounsell, a web designer, admitted to breaching Microsoft's network with Clark.

Hounsell was sentenced to serve a six months in prison, which has been suspended for 18 months. He must also perform 100 hours of unpaid work.

Hackers Zammis Clark and Thomas Hounsell were sentenced on March 28 at Blackfriars Crown Court in London. (Photo: Nigel Cox, via CC BY-SA 2.0)

Both men were arrested after investigations by England's South East Regional Organized Crime Unit, aka SEROCU, backed by Europol - the EU's law enforcement intelligence agency - as well as Microsoft's own cybercrime investigation team and the U.K.'s National Crime Agency.

Police say Hounsell conducted numerous searches of Microsoft's network from Jan. 27 to Feb. 16, 2017. "Hounsell posted non-publicly available data to his personal website, with investigators also finding Microsoft data on his digital devices following his arrest," SEROCU says.

Security Researcher Publicized Flaws

The charges against Clark were more serious, with police saying he targeted Microsoft's network from Jan. 24 to Feb. 16, 2017, stealing 43,000 files that they later recovered, as well as uploading malware, at which point the intrusion appears to have been discovered, The Verge reported.

"He published on an internet chat room the fact he had hacked into the system, and by publishing that, a number of other hackers from France, Germany, Ireland, Slovakia, the United States and the United Arab Emirates accessed the computer server," prosecutor Dickon Reid told the court, the Evening Standard reported.

Microsoft estimated that Clark and Hounsell's breach of its network led top £1.5 million ($2 million) in incident response and system overhaul costs.

Clark was first arrested in June 2017. At the time, he was working as a security researcher for security vendor Malwarebytes, for which he authored several blog posts in the first half of 2017.

"The alleged behavior happened before the individual was hired as a Malwarebytes employee," the company tells Information Security Media Group in a statement. "When we learned about the allegations we terminated his employment. Malwarebytes does not condone this type of behavior."

Police: Clark Kept Hacking

Clark has long been a security researcher. In 2015, he publicized flaws in Impero Education Pro, a widely used tool for monitoring and restricting British schoolchildren's internet use.

While Clark was being investigated by police for the Microsoft hacking - after his arrest, he'd been released with no restrictions imposed on his computer use - he continued his hack attacks, accessing private areas of Nintendo's network in 2018 between March 9 and May 23, and stealing more than 2,000 usernames and passwords, police say.

Nintendo estimated that the attack necessitated £1.4 million ($1.9 million) in incident response and system overhaul costs.

"Although Clark didn't access any personal customer information, he repeatedly demonstrated intent to gather private information in full knowledge that his actions were illegal," says Detective Sgt. Gary Hooks, who's part of SEROCU's cybercrime team.

"Cybersecurity is not a victimless crime, and Clark was aware of the investigation into the initial incident with Microsoft but continued to commit further offences. We are therefore glad to secure a conviction for both cases," he says. "Throughout the investigations we have worked closely with Microsoft and Nintendo and I'd would like to thank both companies for their continued support and cooperation throughout."

"This action by the courts in the U.K. represents an important step," Tom Burt corporate vice president for customer security and trust at Microsoft, tells ISMG in a statement. "Stronger internet security not only requires strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement. No company is immune from cybercrime."

Burt also reiterated that "no customer data was accessed, and we're confident in the integrity of our software and systems," and that Microsoft has "comprehensive measures in place to prevent, detect and respond to attacks."

Nintendo didn't immediately respond to a request for comment on the admitted hackers' sentencing.

Barrister: Clark is on the Autistic Spectrum

Clark's barrister, Charles Burton, told the court that his client is on the autistic spectrum and that he has found himself unable to stop hacking.

At the conclusion of sentencing on Thursday, The Verge reported, Judge Alexander Milne told the defendants: "I am trusting this will be a lesson from which you will all learn."

The judge said that he'd considered all the circumstances in this case before imposing the sentences. He said his decision to not impose any jail time in particular on Clark - provided he avoids further reoffending - was based in large part on the decision by Clark's mother to give up her day job so she could supervise her son's rehabilitation, and the clear toll that the ordeal had taken on their family, The Verge reported.

"The heartbreak, and I can only see it as heartbreak for his parents, comes across loud and clear," Judge Milne said. "They are to be commended."

Story updated with comments from Malwarebytes and Microsoft.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.