OM demands two months in prison for finding a leak and offering to close it for money
The Public Prosecution Service demands two months in prison against a 29-year-old suspect from Tiel who found a vulnerability in the website of a general practice and offered to fix it for a maximum of 23,000 euros.
The public prosecutor found that the fact that the Tielenaar is suspected does not involve ethical hacking. The man considered himself a so-called white hat hacker. Strict conditions apply to ethical hacking and these were not present according to the Public Prosecution Service, partly because the man had not consulted the general practitioner in advance; he uncovered the leak on his own initiative. In addition, the man obtained sensitive information, the claim reads. The Public Prosecution Service also charges the man that he then asked for money to close the leak.
The 29-year-old man is suspected of breaking into the site of a general practitioner in The Hague in August 2017. The man contacted the practice and reported that a vulnerability allowed access to doctors’ personal information, including email addresses, usernames, passwords and bank account numbers. He then sent a quote with the offer to fix the vulnerability for 16,500 to 23,000 euros. According to the Public Prosecution Service, that offer contained a ‘threatening announcement’: “A fine will probably have to be paid when this is public and there will be considerable reputational damage.”
The Public Prosecution Service writes that after an investigation, the police established that the man’s laptop contained sensitive personal data and that his IP address could be related to the burglary. Screenshots of the burglary method used were found on his phone. The verdict is in two weeks.
The Public Prosecution Service applies strict rules about what is and is not allowed when looking for bugs, leaks and other vulnerabilities in IT systems. Ethical hacking requires explicit consent from the owner of the system. When looking for leaks on your own, no legal action is to be expected if a hacker adheres to an organization’s applicable policy for coordinated vulnerability disclosure.