Court Charges Dev With Hacking After Cybersecurity Issue Disclosure
A German court has charged a programmer investigating an IT problem with hacking and fined them €3,000 ($3,265) for what it deemed was unauthorized access to external computer systems and spying on data.
According to the original report by Heise, the programmer, operating as a freelance IT service provider, was initially tasked by a client to resolve excessive log generation issues with the merchandise management software they were using.
The programmer examined the software and found that it established a MySQL connection with a remote server belonging to Modern Solution GmbH, the management software vendor.
After connecting to the database, it was determined that it not only contained his customer’s data but also the data for nearly 700,000 of Modern Solution’s other customers, constituting a significant data privacy issue.
Upon realizing that the database contained data for other companies, the programmer disconnected from the remote database and worked with a tech blogger to help notify the software vendor of the cybersecurity and privacy issue.
Modern Solution GmbH took the server offline to fix the problem, denying there was a security gap in their systems. The programmer and tech blogger quickly disclosed the issue the same day without waiting for a comment from the management software vendor.
Soon after, the company reported the programmer to the police for unauthorized access to the exposed data and their database server.
Password stored in plain text
The programmer told tech blog Word Filters that the management software was found connecting to a MySQL server over the Internet.
To determine what the database connection was for, the programmer extracted the plaintext password for the MySQL database connection from one of the management software’s executables.
The prosecution argued that the defendant went as far as decompiling the software. However, Heise confirmed that the programmer simply listed the strings in the MSConnect.exe executable to find the plaintext password.
However, the court decided that unauthorized access to data protected with a password violates Section 202c of the German Criminal Code, also known as the Hacker Paragraph.
The judge cited a 2007 legislative amendment on hacking, emphasizing that protection doesn’t need to be robust to warrant offense.
However, the judge demonstrated some leniency towards the consultant, considering his previous clean record, and imposed a lower fine than the prosecution demanded.
The defendant’s lawyer argued that his client acted in the general public’s interest, responsibly informing the software vendor about the security lapse, and criticized the court’s views on the matter as outdated.
The programmer has decided to appeal the decision, and the case will be assigned to a higher regional court in Aachen, where the decision could assume an important role as a legal precedent.