Computer HackingWhile society has benefited greatly from the proliferation of computers and internet connected devices, malicious actors have exploited these technological developments to their advantage.

Computer hacking is a common form of cybercrime which can impact individuals, corporations, and governments. Hacking can be conducted by individuals, criminal gangs, and rogue state actors. The cross-border nature of this crime makes mitigation and prosecution challenging.

 

What is computer hacking?

Computer hacking can be described as identifying and exploiting weaknesses in computer systems and computer networks. Having identified those weaknesses, malicious actors may then seek to access those systems and devices, modify information, and/or impair the device.

Section 476.2(1) of the Criminal Code Act 1995 (Cth) expands on the meaning of access, modify and impair:

  • Access to data held on a computer.
  • Modification of data held on a computer.
  • Impairment of electronic communications to or from a computer.
  • Impairment of the reliability, security or operation of any data held on a computer disk, credit card or other device used to store data by electronic means.

 

Offences and penalties

Computer hacking is criminalised in Australia under both Commonwealth and state legislation. Provisions dealing with computer hacking can be found in Divisions 477 and 478 of the Criminal Code Act 1995 and in section 308 of the Crimes Act 1900 (NSW).

 

Commonwealth offences and penalties

The key provisions dealing with computer offences are outlined in Division 477 of the Criminal Code Act 1995.

Section Offence Maximum penalty
477.1 – Unauthorised access, modification or impairment with intent to commit a serious offence (a) The person causes:

i. any unauthorised access to data held in a computer; or

ii. any unauthorised modification of data held in a computer; or

iii. any unauthorised impairment of electronic communication to or from a computer; and

(b) The person knows the access, modification or impairment is unauthorised; and

(c) The person intends to commit, or facilitate the commission of a serious offence against a law of the Commonwealth, a State or a Territory (whether by that person or another person by the access, modification or impairment).

This section primarily deals with computer hacking as a precursor to committing another serious offence. A serious offence is an offence punishable with 5 or more years’ imprisonment.

The maximum penalty applicable to the serious offence (minimum of 5 years’ imprisonment)
477.2 – Unathorised modification of data to cause impairment (1) A person commits an offence if:

(a) the person causes any unauthorised modification of data held in a computer; and

(b) the person knows the modification is unauthorised; and

(c) the person is reckless as to whether the modification impairs or will impair:

i. access to that or any other data held in any computer; or

ii. the reliability, security or operation, of any such data.

10 years’ imprisonment
478.1 – Unauthorised access to, or modification of, restricted data (1) A person commits an offence if:

(a) the person causes any unauthorised access to, or modification of, restricted data; and

(b) the person intends to cause the access or modification; and

(c) the person knows that the access or modification is unauthorised.

2 years’ imprisonment

 

NSW offences and penalties

The various Australian states also have legislation that closely resembles laws enacted by the Commonwealth. For example, in NSW “computer hacking” is criminalised under various sections in Part 6 of the Crimes Act 1900.

Section Offence Maximum penalty
308C – Unauthorised access, modification or impairment (1) A person who causes any unauthorised computer function:

(a) knowing it is unauthorised, and

(b) with the intention of committing a serious indictable offence, or facilitating the commission of a serious indictable offence (whether by the person or another person),

is guilty of an offence.

The maximum penalty is the same as that of the serious indictable offence.
308D – Unauthorised modification of data with intent to cause impairment (1) A person who:

(a) causes any unauthorised modification of data held in a computer, and

(b) knows that the modification is unauthorised, and

(c) intends by the modification to impair access to, or to impair the reliability, security or operation of, any data held in a computer, or who is reckless as to any such impairment,

is guilty of an offence.

10 years’ imprisonment
308H – Unauthorised access to or modification of restricted data (summary offence) (1) A person—

(a) who causes any unauthorised access to or modification of restricted data held in a computer, and

(b) who knows that the access or modification is unauthorised, and

(c) who intends to cause that access or modification,

is guilty of an offence.

2 years’ imprisonment

 

Analysis

Applying the above provisions, we can see that computer crimes can apply to a number of activities that involve accessing computers without authorisation, and all activities that may follow once an individual has accessed a computer device without authorisation.

In once case, two individuals from South Australia were sentenced to seven years and nine months’ imprisonment for deploying software against businesses that allowed them to redirect automatic payments made by those companies to another account controlled by the offenders. See Lees v The Queen (2022) SASCA 93.

Prosecution for computer crime is challenging due to the difficulties in identifying the offender. Even in cases where law enforcement can identify the individuals or groups involved, these offenders are often located in jurisdictions outside of Australia.

Many successful prosecutions under the provisions listed above were against individuals inside organisations who were generally permitted to accesses the restricted data, on the proviso that it fell within the scope of their employment. These individuals then accessed the data stored on these restricted databases for reasons unrelated to the duties of their jobs.

For instance, in Salter v The Director of Public Prosecutions (NSW) [2011] NSWCA 190, a police officer who accessed the COPS system (a police database) to search for information about her partner’s ex-girlfriends was convicted under s 308 H of the Crimes Act 1900. Salter accessed 22 separate pieces of data about that individual on the COPS database. As a result she was charged and had 22 convictions recorded, one for each piece of data that she accessed, on the basis that she did not have legitimate entitlement to access that data. On appeal, the NSWCA upheld all 22 convictions.

The case of Salter demonstrates that not all hacking involves breaching security from outside an organisation and that individuals who have legitimate access to data may be found guilty of a crime if they access that data outside the scope of their employment.

 

How can we help?

Nyman Gibson Miralis provides expert advice and representation to individuals charged with computer hacking and related offences.

Contact us if you require assistance.