Cyber crime convictions globally
Cyber crime is defined as any criminal activity involving a computer or a network. As cyber crime is the fourth most reported crime in South Africa, any entity that makes use of an IT system or stores employee and/or client data, has a cyber crime exposure risk.
Why is it so difficult to prosecute cyber criminals?
As our legal system was written around physical crimes, understanding how to successfully prosecute Internet-related crime is uncharted territory.
There is no legal ability to arrest a person that resides in a different legal jurisdiction to prosecutors seeking conviction.
Gathering legal evidence: obtaining good evidence takes a very high level of skill, and computer forensics can be costly. Can you prove the evidence has not been tampered with and that the chain of custody was followed and the time and date stamp is accurate?
Few cyber crimes are reported: would you know where and how to report a cyber crime? If you fell for a 419 or a dating scam, would you report it?
Global convictions of cyber crimes
Oladimeji Seun Ayelotan, Rasaq Aderoju Raheem and Femi Alexander Mewase (Nigeria), who were extradited from South Africa for Internet fraud schemes, including romance scams, re-shipping scams, fraudulent cheque scams, work-at-home scams as well as bank, financial and credit card account takeovers, are collectively facing hundreds of years in prison after being found guilty in Mississippi.
Max Butler (Idaho), known as Iceman and then Max Ray Vision, hacked US government Web sites in 2001 and was sentenced to 18 months in prison. In 2007, after using WiFi to commit attacks, programme malware and steal credit card information, Butler pleaded guilty to wire fraud, stealing millions of credit card numbers and around $86 million in fraudulent purchases. Butler, who is due for release in 2019, was sentenced to 13 years in prison and ordered to pay $27.5 millionin restitution.
Kevin Mitnick (America), who used social engineering and phone phreaking to get free long-distance calls and access to secret information, was sentenced to a year in prison, followed by three years' probation, for hacking and stealing $1 million of software. In 1999, he pleaded guilty to wire fraud, possession of unauthorised devices and unauthorised access to a federal computer, and served a total of five years in prison.
Michael Calce (Canada), aka MafiaBoy, launched several high-profile denial-of-service attacks against companies like Yahoo, Amazon, Dell, eBay and CNN, reportedly causing losses of approximately $1.2 billion. At only 15 years old at the time of offence, the Montreal Youth Court sentenced him to eight months of 'open custody', a year of probation, restrictions on his Internet usage, and a small fine.
Matthew Hanley and Connor Allsopp (England) were sentenced to 12 months and eight months respectively for their involvement in the TalkTalk data breach in which they stole banking and sensitive information for over 150 000 customer accounts. The breach is estimated to have cost TalkTalk £77 million, including a record £400 000 fine from the Information Commissioner's Office.
George Garofano (Connecticut) was behind the "Celebgate" phishing scheme in which he admitted to using a phishing scam to break into more than 250 iCloud accounts, including those belonging to Hollywood A-listers. He was sentenced to eight months of imprisonment, followed by three years of supervised release.
Albert Gonzalez (Miami), known as cumbajohny, soupnazi and segvec, hacked NASA at age 14. He was arrested in 2003 for being part of ShadowCrew, a group that stole and then sold card numbers online. In 2008, he was arrested again for stealing millions of dollars, which he used to pay for lavish parties and hotels. The companies he targeted were TJX, 7-Eleven, Heartland Payment Systems and Citibank. He was sentenced to 20 years in prison.
Vladimir Drinkman and Dmitriy Smilianets (Russia) sold 160 million credit card numbers that they had stolen from several payment processors, banks and retailers. Drinkman was sentenced to 12 years in prison and his accomplice, Smilianets, was sentenced to 51 months and released.
Travon Williams (America), the ring leader of a 12-member gang that, for two-and-a-half years, purchased large amounts of stolen credit card details on the dark Web, used the information to manufacture fake credit cards. He pleaded guilty and was sentenced to nine years in prison.
Roman Seleznev (Russia), aka Track2, hacked more than 500 businesses, 3 700 financial institutions and 38 point-of-sale computers in order to steal credit card numbers and sell them on the dark Web, resulting in more than $169 million in damages. Seleznev was sentenced to 27 years in prison and another 14 years for a separate case. His release date is set as 2038.
Alex Bessell(Liverpool) made more than £50 000 from selling malware products, enabling users to spread viruses, conducting attacks and steal data. His company, Aiobuy, advertised 9 077 items and had 1 000 000 recorded visitors, with over 34 000 sales on the dark Web. Bessell controlled more than 9 000 bots, which he used to launch 102 attacks on firms such as Pokemon, Skype and Google. He was sentenced to two years in jail.
Matthew Falder (Cambridge) 29-year-old graduate and geophysics researcher, was sentenced to 32 years in jail after admitting to 137 charges of sharing abuse tips and images on the dark Web. London's Court of Appeal later agreed to reduce Falder's prison sentence to 25 years.
Gavin Prince (Wales) was sentenced to 10 months in jail after running a revenge cyber attack on his former employer (a tenant referencing company 'LetsXL'). His former boss said Prince had deliberately crashed its systems while in their employ. After termination, he changed passwords to mailboxes, accessed the e-mails of other employees and deleted numerous e-mails.
Nik Cubrilovic (Australia), a well-known security researcher in the InfoSec community, on more than 30 occasions broke into the network of a car-sharing service, GoGet, to take his girlfriend on dozens of free joyrides in luxury cars, and was granted bail under condition that he does not access the Internet or crypto-currency, surrender his passport, not contact GoGet employees or customers, and report to police three times a week. Cubrilovic had reportedly advised GoGet on flaws in its software system that could expose it to a cyber attack.
Inna Yatsenko and Gayk Grishkyan (Ukraine) were sentenced to suspended jail time of five years each for disrupting hundreds of Web sites using DDOS attacks and extortion schemes over a period of two years. One site was the popular dating service called AnastasiaDate that connects men in North America with women from Eastern Europe.
On a daily basis, thousands of cyber attacks occur, not only globally, but in South Africa too. SMEs are often the preferred target as these companies do not have the means to spend massive amounts on technology to protect themselves against cyber crime.
Liability insurance policies are not designed to respond to intangible losses; therefore, it is important to consider a policy specifically designed to respond to a network breach or privacy breach, which is cyber insurance.
What sort of businesses need cyber insurance?
Any entity that has an IT system (internal or external); and
Any entity that stores data (employees and third parties).
Designed to cover the resultant costs and damages from a network security or privacy breach, a cyber insurance policy covers what has previously been uninsurable. While called cyber insurance, the policy is far broader than the name implies, extending to cover a host of incidents, including, but not limited to:
Cyber extortion (ransomware, to prevent denial of service or publishing of stolen data);
Denial of service (disruption to operations);
Downstream attack (a compromise of the insured's environment resulting in damages to others);
Insider and privilege misuse (unauthorised access and unauthorised use of systems and data, including by employees and service providers);
Malware (virus, ransomware, etc);
Physical theft and loss (both devices and physical hard copy data); and
o Threats posed by third-party access into a client environment.