Case Analysis: Prosecutions Arising From Mass Data Leaks Of Personal Information
CASE ANALYSIS: PROSECUTIONS ARISING FROM MASS DATA LEAKS OF PERSONAL INFORMATION
Mass data-leak prosecutions typically arise under statutes covering unauthorized access, computer misuse, wire fraud, identity theft, espionage, and, increasingly, obstruction or breach-notification violations. Courts have focused on intent, method of access, harm to victims, and security obligations of organizations.
1. United States v. Karim Baratov & Others (Yahoo Data Breach Prosecutions, 2017)
Facts
In 2013 and 2014, hackers stole personal data of nearly 500 million Yahoo users. Two Russian FSB officers and two criminal hackers (including Karim Baratov) were indicted by U.S. authorities.
Charges
Conspiracy to commit computer fraud
Unauthorized access to protected computers
Wire fraud
Identity theft
Key Legal Issues
State-Sponsored Hacking + Criminal Prosecution:
This case uniquely blended state actor involvement (FSB officers) with private hackers executing the breaches.
Scope of Unauthorized Access:
The court emphasized that Baratov intentionally accessed webmail accounts to gather personal data, satisfying mens rea requirements for CFAA crimes.
Extradition & Jurisdiction:
Baratov was extradited from Canada because the conduct had substantial U.S. impacts, reinforcing the principle that cybercrime jurisdiction extends where data victims reside.
Outcome
Baratov pleaded guilty and received 5 years’ imprisonment.
The case reinforced that mass data theft = major federal crime even when conducted abroad.
2. United States v. Paige Thompson (The Capital One Data Breach Case, 2022)
Facts
In 2019, Capital One experienced a leak involving over 100 million U.S. and Canadian customers, stolen by former AWS employee Paige Thompson, who exploited a server-misconfiguration.
Charges
Wire fraud
Computer fraud and abuse (CFAA)
Data theft and identity theft
Key Legal Issues
Misconfigured Server ≠ Authorized Access:
Defense argued she merely accessed an open “public” resource.
The court ruled that exploiting a security flaw still counts as unauthorized access under CFAA.
Intent to Benefit or Harm:
Evidence showed she intended to use stolen data for crypto-mining activities, satisfying fraudulent intent.
Data Security and Corporate Duty:
Although Capital One faced civil penalties separately, the criminal case emphasized that perpetrators—not merely companies—bear liability for stolen data.
Outcome
Thompson was convicted on seven federal counts and later sentenced to prison and supervised release.
3. R v. Daniel Kelley (TalkTalk Data Breach), U.K. Crown Court (2018)
Facts
The 2015 TalkTalk hack exposed personal data of 150,000+ customers, including bank details. Daniel Kelley, a teenager at the time, was one of the attackers.
Charges
Offences under the Computer Misuse Act 1990
Blackmail
Fraud by false representation
Money laundering
Key Legal Issues
Mental Health Considerations in Cybercrime Sentencing:
Kelley suffered from depression and autism.
Court balanced personal circumstances against severe societal harm caused by large-scale data leaks.
Blackmail Aggravates Sentence:
Kelley attempted to extort TalkTalk by demanding cryptocurrency for withholding stolen data.
Scale of Data Exposure as Aggravating Factor:
Judge emphasized that mass-scale exposure increases victim vulnerability and thus increases culpability.
Outcome
Kelley received 4 years’ imprisonment, demonstrating that even young offenders face substantial penalties for mass data breaches.
4. United States v. Joseph Sullivan (Uber Chief Security Officer Case), 2022
(Significant because it prosecuted concealment of a data breach—not the hack itself.)
Facts
A 2016 Uber breach compromised data of 57 million users and drivers.
Hackers were paid through Uber’s “bug bounty” program to keep quiet.
CSO Joe Sullivan concealed the breach from regulators and investigators.
Charges
Obstruction of justice
Misprision of a felony
Key Legal Principles
Corporate Duty to Disclose Data Breaches:
This case created a landmark precedent: corporate officials can be criminally liable for hiding data leaks.
Bug Bounty ≠ Hush Money:
The jury held that paying hackers under the guise of a security program to suppress disclosure is unlawful.
Responsibility of Senior Executives:
The case signaled personal accountability for executives involved in breach responses.
Outcome
Sullivan was convicted but received probation instead of prison, based on mitigating factors such as no personal financial motive.
5. R v. Grant West (“Courvoisier”), U.K. Southwark Crown Court (2017)
Facts
Grant West conducted large-scale phishing attacks that harvested financial details of hundreds of thousands of victims, which he then sold on the dark web.
The stolen data included millions of personal records from companies including betting and retail sites.
Charges
Computer Misuse Act offences
Fraud
Possession of criminal property
Key Legal Issues
Commercial Exploitation of Stolen Data:
West monetized personal data, turning the case from mere hacking to a sophisticated cyberfraud enterprise.
Volume of Data as Sentencing Factor:
Courts emphasized the “industrial scale” of data collection.
Use of Cryptocurrency:
Recovered Bitcoin was treated as criminal proceeds—a growing theme in cybercrime cases.
Outcome
West was sentenced to 10 years’ imprisonment, one of the U.K.’s harshest cybercrime sentences at that time.
6. United States v. Roman Seleznev (U.S. District Court, 2016)
(Major credit-card data theft case involving millions of records)
Facts
Seleznev hacked point-of-sale systems, stealing 2.9 million credit-card numbers, which were sold for millions of dollars.
Charges
Computer hacking
Wire fraud
Aggravated identity theft
Key Legal Reasoning
Extraterritorial Reach of U.S. Cybercrime Laws:
Court held that fraud directed at U.S. victims gives U.S. jurisdiction even when the attacker is abroad.
Economic Loss as a Measure of Criminal Harm:
Loss amounts exceeding $100 million triggered severe enhancements.
Organized Large-Scale Data Theft:
The judge emphasized this was not a “one-off hack” but a persistent data-theft enterprise.
Outcome
Seleznev received 27 years’ imprisonment—one of the longest cybercrime sentences in U.S. history.
7. Additional Case (Canada): R v. Stephen Arthurs (Desjardins Data Leak, 2022)
(Internal employee-driven leak)
Facts
A Desjardins Group employee stole internal data of 9.7 million Canadians, transferring customer names, addresses, birthdays, and social insurance information to a third party.
Charges
Unauthorized use of a computer
Breach of trust
Possession of stolen property
Key Legal Issues
Insider Threat Liability:
Courts stressed heightened responsibility for insiders who misuse privileged access.
Breach of Trust as Aggravating Factor:
Because Arthurs was entrusted with safeguarding sensitive data, breach of trust elevated criminal seriousness.
Mass Identity Exposure = Lasting Harm:
Court noted the permanent risk of identity fraud as a reason for strict sentencing.
Outcome
Arthurs was convicted and faced multi-year imprisonment.
KEY LEGAL PRINCIPLES EMERGING FROM THESE CASES
1. Unauthorized Access Defined Broadly
Courts consider:
exploiting misconfigurations
using stolen credentials
bypassing weak controls
as unauthorized even if systems were insecure.
2. Scale of Data Matters
Sentencing is aggravated when:
personal data of millions is leaked
financial harm is widespread
long-term identity risks are created
3. Corporate Liability vs. Individual Liability
Hackers face criminal prosecution
Companies face civil or regulatory penalties (not covered here)
Executives can face criminal liability if they conceal breaches (Uber case)
4. International Jurisdiction Is Expansive
U.S. and U.K. courts assert jurisdiction whenever:
victims reside in their territory
servers or financial transactions touch their jurisdiction
5. Intent and Commercial Gain Worsen Penalties
Where data is used for:
blackmail
fraud
resale on dark web
courts impose significantly stronger sentences.
RELATED Blog
comments