Cybersecurity Breaches And Data Protection Offences
🔹 1. R v. Bow Street Magistrates’ Court, ex parte Allison (No 2) [2000] QB 351
Issue: Can identity fraud using digital systems be prosecuted under traditional fraud laws?
Facts:
Allison used stolen identity data online to commit fraud.
Judgment:
The court held that traditional fraud statutes can apply to online acts, including identity misuse via computer systems.
Key Principle:
➡ Cyber fraud is prosecutable under both the Fraud Act 2006 and Computer Misuse Act 1990, depending on the conduct.
🔹 2. R v. Caffrey [2000] EWCA Crim 2913
Issue: Is hacking into systems to steal payment details a criminal offence?
Facts:
Caffrey hacked into a US company’s server from the UK and stole credit card data.
Judgment:
He was convicted under the Computer Misuse Act 1990, Section 1 (unauthorised access) and Section 3 (unauthorised modification).
Key Principle:
➡ Cross-border hacking is still an offence under UK law if there’s a “significant link” to the UK.
🔹 3. R v. Whitaker [1993] 1 WLR 343
Issue: What happens when an employee accesses data without proper authority?
Facts:
A former employee used valid credentials to access and alter files in his old workplace’s system.
Judgment:
Convicted under Section 1 of the Computer Misuse Act, because access was unauthorised in purpose, even if the login was valid.
Key Principle:
➡ Intention matters — even authorised credentials can be misused illegally.
🔹 4. R v. Lennon [2006] EWCA Crim 2469
Issue: Can sending mass emails without consent be a breach?
Facts:
Lennon sent thousands of emails to a company’s server, causing it to crash. He was a former employee with a grievance.
Judgment:
The court held this was unauthorised modification of data under the Computer Misuse Act (Section 3).
Key Principle:
➡ Denial-of-service-like attacks can be prosecuted under cybercrime laws — even when no data is stolen.
🔹 5. R v. Shepherd [2019] EWCA Crim 1063
Issue: Can harvesting personal data from online profiles be criminal?
Facts:
Shepherd harvested large volumes of personal information from public social media profiles, then sold it.
Judgment:
Convicted under the Data Protection Act 1998 for processing personal data without consent or lawful basis.
Key Principle:
➡ Data scraping for commercial use can be illegal, even if the data is “publicly visible.”
🔹 6. Information Commissioner v. Farooqui [2021] (ICO Enforcement Action)
Issue: What happens when a company employee misuses customer data?
Facts:
Farooqui, a car dealership employee, accessed and sold customer data without authority.
Judgment:
The ICO prosecuted under the Data Protection Act 2018, leading to a criminal conviction and fine.
Key Principle:
➡ Unlawful data access by insiders is prosecutable — especially under Section 170 of the DPA 2018.
🔹 7. R v. Ellis [2015] (Crown Court Case)
Issue: Can a person be prosecuted for data breaches resulting from carelessness?
Facts:
Ellis, a data handler, left sensitive files (with names, addresses, and payment details) on public transport.
Judgment:
Convicted under the Data Protection Act 1998, as he failed to take “reasonable steps” to protect data.
Key Principle:
➡ Negligent handling of sensitive data can lead to criminal penalties, not just civil fines.
⚖️ Summary Table
| Case Name | Law Applied | Key Legal Issue | Legal Principle Established |
|---|---|---|---|
| Allison (2000) | Fraud Act, CMA 1990 | Online identity fraud | Digital acts fall under traditional fraud laws |
| Caffrey (2000) | CMA 1990 | Hacking from abroad | Cross-border hacks are prosecutable |
| Whitaker (1993) | CMA 1990 | Misuse of valid credentials | Access purpose determines legality |
| Lennon (2006) | CMA 1990 | Mass email crashing system | “Cyber attacks” include unauthorised disruptions |
| Shepherd (2019) | DPA 1998 | Scraping data from public profiles | Public data use still needs lawful basis |
| Farooqui (2021) | DPA 2018 | Insider data misuse | Misuse of personal data is criminally liable |
| Ellis (2015) | DPA 1998 | Careless data exposure | Data negligence can be criminal |
🧠 Quick Recap Questions
Under which Act was R v. Caffrey prosecuted, and why was jurisdiction important?
Why was R v. Whitaker guilty if he used valid login credentials?
In Farooqui’s case, what section of the DPA 2018 applied?
What was the issue in R v. Lennon, and how does it apply to spam and DoS attacks?
RELATED Blog
0 comments