Business Law & Compliance
MP Kemi Badenoch's hack prank reminds us not to violate the CMA
3 min read
10 April 2018
Kemi Badenoch admitted to hacking another MP's website as a prank, before she was elected. But while she may have been forgiven for the deed, it has flung the CMA back into headlines.
The alleged prank came to light after she was asked to confess “the naughtiest thing” she’d ever done during an interview. Some ten years ago she hacked Harriet Harman’s website and “changed all the stuff in there to say nice things about the Conservative party”.
Badenoch’s hack – a violation of the Computer Misuse Act (CMA) – highlights the importance of stringent security, as well as a common misunderstanding of the Act. No real hacking is actually required to fall foul of it. Access to the computer in question must be unauthorised, and the person gaining access must know it is unauthorised.
Taking this into account, bosses need to remember they can be held responsible for any wrongful actions carried out by staff. So it’s important to have strong passwords – Harman’s logon ID was apparently “harriet” and her password “harman” – and change them regularly. Someone who takes advantage of a slip up when it comes to security is still breaching the law and could go to jail for it.
It came to light on Friday 3 November that Donald Trump’s Twitter account had been deleted. This was no technical error – an employee went “rogue”.
All office computer policies need to make this clear, explained Susan Hall, IT lawyer and head of technology at Clarke Willmott. “This is especially true where people are handling valuable data,” she said. “Hacking was criminalised in 1990 by the CMA.
“This creates three distinct offences: unauthorised access to a computer, unauthorised access to a computer with intent to commit further offences and unauthorised access with the intent to impair the operation of a computer or to erase, block or corrupt data or programs.
“The conduct Badenoch admitted to appears at first sight to fall within the first and the third offences. Both can be tried n the Crown Court or the Magistrates Court, with the current maximum penalties currently being two and ten years’ imprisonment respectively.
“A police constable who accessed police intelligence systems to snoop on his ex-girlfriends received a nine months suspended sentence, and a hacker who shut Sports Direct’s website down for 30 minutes received a sentence of ten months. The arguments put forward by Badenoch to excuse her actions – that it was a prank, that it stemmed from ‘youthful exuberance’ and involved ‘guessing a password’ – have not found favour in earlier cases under the CMA.”
The incident could hardly have come at a worse time. As Hall suggested, with the GDPR coming into effect next month, everyone is sensitive to risks of security breaches.
She added: “Treating hacking flippantly undermines everyone’s efforts of getting cyber issues onto the table and properly addressed.”