September 24, 2012
The muti-year legal struggles of an unidentified Frenchman from the Breton region underscore many of the issues and challenges associated with computer security. Prosecuted as malicious hacker, a French court ultimately concluded that he was, instead, merely unlucky.
His story provides a cautionary tale for the cyber-age.
In 2008, the man in question was unemployed and trying to save money wherever possible. As part of an effort to take advantage of the reduced telephone charges available through the Skype communications system, he began experimenting with use of different dialing codes.
After dialing in a random number, he received an automated prompt requesting his access number. The automated prompt did not identify the system he had called. Having no access number and not knowing what system he had reached, the caller simply input the sequence of numbers one through six in response to the prompt. At that point, he received a tone, and thinking that he had simply called an out of service number, he terminated the call and went on about his business.
Unfortunately, the man had inadvertently accessed the debt service computer network of the Bank of France. The bank’s computer network detected the call, and treated it as a potential security breach. As the breach was investigated, service on the computer network was interrupted for several hours, causing business disruption for the bank.
The bank alerted French law enforcement authorities of the suspected computer breach. The authorities treated it as a criminal hacking incident and launched their own investigation. In 2010, they arrested the man for hacking. The authorities were reportedly surprised when they found their target as he seemed to be very unsophisticated with respect to computer technology, and the equipment he owned was extremely old and out of date.
When the man went to trial this year, he repeated the story that he had been telling authorities all along. He continued to insist that he had never intended to engage in hacking. In fact, he did not even realize that he had been involved in hacking.
The trial court in Rennesbelieved the defendant. He was acquitted of the charges as the court determined that he had lacked criminal intent.
As individuals and organizations around the world direct increasing attention and resources toward cybersecurity, this incident offers some important lessons. It shows us that, although technology is important for security, careful planning and implementation of business and operations practices are also vital. Sophisticated security technology can be quickly undermined by careless operations, such as use of easily compromised access codes.
Perhaps the most important lesson illustrated by this case is the significant role played by chance in computer security. No matter how advanced and thoroughly planned the cybersecurity system may be, it can always be threatened by unanticipated events and human errors.
No security system is invincible, and all computer network operators and users must always remain mindful of the fact.