Computer Crime Research Center


Hacker: What can you do against a hacker?

Date: April 03, 2006
By: Pavan Duggal

We operate and maintain the backend office operations of a company located in Silicon Valley. Our offices are located in Gurgaon. Recently, our systems were badly hacked and some crucial confidential files, maintained by us at the back office for a client in Silicon Valley, were deleted. We hired a private investigator, whose technical inquiry revealed that the hacking was done by a company in Korea. We are not sure what to do next. What do you suggest?

Your case represents the typical problems of cyber jurisdiction. The world rejoiced when the internet removed all geographical barriers. However, there have been no easy solutions to the problems of jurisdiction. National governments of different countries won’t relinquish their sovereign jurisdiction and so cyber criminals located in different jurisdictions can’t be brought to book. Different governments are, however, making arrangements to share information about cyber crimes and criminals among themselves.

In your case, the principal company, being your client, is located in California, its backend office is in Gurgaon, where your computer systems are located, while the hacker is in Korea. It’s a case of hacking, as defined under Section 66 of the Information Technology Act 2000.

You can try to get the case registered for hacking in Gurgaon, but the chances are that you may not succeed in this exercise as the hacker is outside the territorial boundaries of India. Even if the case is registered in India, it would be extremely difficult to get the Korean hacker to India for trial under the Indian cyberlaw. It is true that the law provides for extra territorial jurisdiction to law enforcement agencies, but in reality this can hardly be exercised.

Extradition is the only route available, provided there is an extradition treaty between India and Korea. Even if there is indeed a treaty, it would be a very lenghty process and rather ineffective in the context of cyber crime issues. Cyber criminals act swiftly to delete and destroy all electronic footprints of their crimes.

You are likely to have a lot of problems in your case, given its mutli-national nature. You should take the American client into confidence about the hacking and explain to them the various problems of cyber jurisdiction. Meanwhile, you need to make your systems more secure. Until the international law on cyberspace jurisdiction develops, there is no other alternative.

ARE identity theft instances increasing? Are we seeing instances of identity theft in India?

In today’s world, identity theft is extremely prevalent. The last few years have seen tremendous growth in the instances of identity theft. Two recent surveys show that in 2003, about 19,178 people become victims of identity theft per day. That would be 799 persons per hour and 13.3 persons per minute. Victims spend an average of 600 hours recovering from this crime, often over a period of years.

The incidence of victimisation caused by identity theft increased 11-20% between 2001-2002 and 80% between 2002 -2003 . It has also been found that 91% of respondents do not see an “end to the tunnel” and expect a heavy increase in victimization. About 49% also stated that they do not feel they know how to adequately protect themselves from this crime.

From the perspective of victims, the study revealed that the emotional impact on victims is likened to that felt by victims of more violent crime, including rape, violent assault and repeated battering. Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split in a significant relationship or with a spouse and of being unsupported by family members.

The Federal Trade Commission of the US in its FTC Identity Theft Survey Report 2003 found out that in the year 2003, 9.9 million persons became victims of identity theft while the average loss to businesses per victim was $4,800, and the loss to businesses $47.6 billion. The United States Secret Service has estimated that the average cost per financial crime investigation is $15,000. The Federal Bureau of Investigations estimates the average cost per financial crime investigation is $20,000.

These figures are constantly increasing with each passing year. It is also stated that data theft and identity theft cases invariably are done by insiders and people who have close personal knowledge of your details and works. We do not have any specific scientific figures concerning India.

However, I have every reason to believe that the increase in identity theft cases is being seen in India also. The only problem is that such cases are not being reported for fear of harassment and negative media publicity.

What one learns from these trends is that you need to be careful when you share your personal, financial or confidential data with any other person, employee, friend, or acquaintance. You must change your passwords frequently. Do not have predictable passwords, based on family members’ names or words which can be predicted by those close to you.

Security is important too. Any breach of security on your systems can cause irreparable loss and damages, monetary, emotional and otherwise. In India, we have seen an increase in the physical security of systems, but not in the case of networks. Lack of adequate security can cause breaches which could lead to huge damages.

We are an educational institution which provides LAN for access by students. Students of our institution are allowed to put as much material as they may want to, on the LAN in a folder called “Students Corner”. We have been providing this facility for the last few years. However, we recently got a complaint from a couple of students that the folder contains the faces of six girl students of the institute, pasted on six nude models. The parents of the six girls have also complained to us. We have temporarily made the folder inaccessible to students. However, we have saved the pictures in a back up folder on our systems. Is this approach a prudent one?

Since the local area network is yours, you are responsible for the content stored on it. Publishing obscene morphed photographs, even in your back up, is likely to open your organisation and management to criminal liability.

The offence is punishable under Section 67 of the Information Technology Act 2000 with 5 years imprisonment and Rsi lakh fine on the first conviction. You should immediately delete the students’ folder from all locations. You need to have specific policies for the use of LAN by students. It would also be prudent to occasionally keep a check on the LAN for obscene or pornographic content.
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2011-02-06 23:47:30 - someone is buying things with my credit... Michael
2006-10-01 23:44:55 - theres a hacker with all my pics vids info... kelsey
2006-04-17 09:08:26 - What legal action? I find that the... Miker Orton
Total 3 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo