Is Hungary’s “ethical hacker” a hero or a criminal?
Some burning questions regarding data security, data breaches and the prosecution of hackers have been brought up in Hungary, fuelled on by an ongoing criminal trial. At the centre of the case is a young, unnamed IT student, now dubbed the “ethical hacker” who discovered a major security flaw in the customer database of Hungary’s leading telecommunication provider, the German-based Telekom. After he was able to get access to confidential data records, he duly disclosed his findings and alerted the company to its vulnerability. The criminal proceedings that followed highlight the need for better legislation and overall consensus on how data breaches should be handled by corporations and criminal courts.
The story began back in 2017, when a young programming major college student came across a security weakness on Telekom Hungary’s website. While he was engaged in some routine customer service help regarding a DNS server, he noticed a public document that contained administrative passwords. Through these he could gain administrative control of the system. Driven by his curiosity, he dug deeper and deeper into the pages, he found himself inside the internal network of Telekom. He immediately alerted Telekom, shared his findings and was invited to the headquarters in Budapest. He prepared a 7 page, detailed description of how the events unfolded, took the train to the capital and met with Telekom’s IT security experts. He demonstrated on his own laptop how he was able to gain access to the confidential internal files and patiently answered questions about his methods and motivations. He felt that the company’s representatives were quite unfazed by the lack of system security: they were mostly interested in what his reasons were for the break-in, and made statements like “hmm, not too many people would think of doing this.” He later admitted that he expected a different, much more serious reaction from the people responsible for data security at the telecommunications giant. At some point it was discussed that he would be hired by Telekom to help out with security issues, either as a salaried employee or IT security consultant. This was further addressed in follow-up emails before it all went quiet. While Telekom lost interest in hiring him, he certainly didn’t lose interest in the system to which he so easily gained access. A few weeks later, again led by curiosity, he tested his access again and he now claims he was planning on sharing all his findings with Telekom, just like he did in the past. In his confidence (or naive innocence) he didn’t even bother to mask his IP address while he was digging around. Lo and behold, the security flaws were not corrected yet and they seemed even worse this time around. He easily accessed files detailing mobile phone and data traffic of all Telekom subscribers, on both individual and corporate accounts. He was going about testing whether he can create a system-admin level test user account when he realised that Telekom’s IT department was alerted to the breach. Assuming Telekom, now aware of their system weakness, would patch up security, he exited the system and naively thought that that was the end of the story. It wasn’t. Three weeks later he was arrested, handcuffed and put into jail.
The trial started last week and the young man is defended by the Hungarian Civil Liberties Union (HCLU/TASZ). According to the prosecution, he has committed a ‘crime of disturbing a public utility and endangering society’ and they’re requesting a hefty prison sentence. But according to the HCLU, “the Prosecutor’s Office is asking for a jail term” despite the fact that from the indictment files “it is not clear what exactly has he done.” The files lack the time, place and means of the committed crimes he is accused of, “and in general, contain nothing that would be necessary to present the lawful accusation in detail.”
While the case is still ongoing and we’ll have to wait a while for the decision of the Hungarian courts, it is blatantly obvious that current laws and courts in general are absolutely unprepared for handling data breach cases there. (In another ongoing case a young student was recently arrested for identifying and promptly reporting a bug he accidentally found in the app of Budapest Transport Authority: that one allowed users to buy monthly passes at any named price, even ridiculously small ones. He never used the pass he acquired for 50 HUF, the equivalent of 10p, but was busted anyways.) What’s even worse, even large companies are unprepared: they treat whistleblowers like criminals. I would like to be optimistic about our “ethical hacker’s” future and hope that he will be recognised for his good intentions and maybe even rewarded with a great job upon graduation, but having some insight into the Hungarian legal system, I remain sceptical. At this point he’s facing 2 years on probation if he’s admitting guilt, or up to 5 years in prison, if he doesn’t. Good intentioned security researchers and hackers elsewhere, like the American Vinny Troia regularly expose data security vulnerabilities and are revered in the IT community. Good hackers, also called “white hat hackers” have been around as long as computers have. In fact, one of Apple’s co-founders, Steve Wozniak started out as one. But what should happen to budding amateurs who stumble upon a security flaw and are honest about it? How should data breaches that reach across international borders should be handled? How can we tell the good guys from the villains? We better answer these questions fast, because data breaches happen daily and as big data gets bigger and bigger, so are these events. As we recently reported, at least 2.5 billion people were affected by data breaches in 2018 alone.
Bogi Szalacsi is a Senior Associate with infoNation, based in London. You can contact her at firstname.lastname@example.org and follow her on Twitter: @infoNation5.