Does current UK anti-hacking legislation

provide adequate protection for victims?

Introduction
• Hacking of Microsoft’s e-mail system
of Microsoft Exchange Server by a
Chinese hacking group called
Hafnium on 2nd March 2021
• This report investigates issues related
to social, economical, technological,
ethical, and other issues
• Special emphasis on United
Kingdom’s Legal structure on
protecting data and privacy of
Citizens and Businesses in UK
Discussion of areas with issues
Social
• Hafnium’s hacking has imposed threats of
several Microsoft customers' data at risk.
Hacking of Microsoft's Exchange Server email
has exploited thousands of customer data and
also compromised privacy security
• Even though Microsoft has released recovery or
strategic software updates for every customer
worldwide following the hack in their Exchange
Service email, customers still express their
resentment towards Microsoft's privacy policies
• UK's anti-hacking legislation was also blamed
by customers due to its inability to prevent
hacking even though they had stated possible
hacking threats before the incident
Discussion of areas with issues
Economic
• Effect of Microsoft's hacked Exchange
Server responsible for calendar services
and cloud-based email has resulted in loss
of several worldwide customers and
consequently decreased potential brand
value
• Decrease in number of customers reduced
total revenue income of Microsoft. It is
estimated that loss due to hacking costs
around $400 billion every year
(assets.publishing.service.gov.uk, 2021)
• £27 billion costs per year due to hacking
of targeted industries and government
sectors in UK
Discussion of areas with issues
Technological
• Common Vulnerability Scoring System (CVSS)
has identified 26855, 26857, 26858 as affected
server addresses of Microsoft's hijacked server
(news18.com, 2021)
• Microsoft stated that hackers used classical
Remote Code Execution Structure (RCES) to
hack into Microsoft's server
• several codes such as CVE-2021-26855: CVSS
9.1, CVE-2021-26857: CVSS 7.8, CVE-2021-
26858: CVSS 7.8, and CVE-2021-27065:
CVSS 7.8. has enabled hackers to hack and take
away required data or information and also
installed malware and web shells.
Discussion of areas with issues
Ethical and Others
• Frustration and anxiety arose in customers as
their privacy and data were exposed and many
were seeking for resolving the matter and acting
according to their needs (Azad, M.M., Mazid,
K.N. and Sharmin, S.S., 2017)
• Focusing on customer ethics and protection
Microsoft released an immediate software
update to be installed by every user worldwide
in order to protect them from possible loss of
further information
• Other issues such as, unauthorized
transactions from banks, uninstallation of
several essential software from hacked server,
smuggling of data, etc . Has also been
identified
Discussion of legal issues
• The United Kingdom’s legal actions against cyber-
crime have mainly developed under two criteria
namely, Cyber-Dependent Crimes and Cyber-
Enabled Crimes (cps.gov.uk 2019).
• UK's laws and regulations have been outdated and
thus are unable to deal with online hacking or cyber-
crime threats effectively (Ngejane et al. 2018)
• It is also observed that Police in UK do not often
investigate several cyber-crimes due to lack of
resources
• UK government's legal responses in mitigating
cybercrime and hacking have not been up to the
definite requirements maintaining citizen’s data
privacy and protection (reuschlaw.de/en/news 2021)
Covered laws
• Computer Misuse Act 1990
• Fraud Act 2006
• IT Act 2000
• Serious crime act 2015
• Regulation of Investigatory
Powers Act 2000
Covered laws
• Data Protection Act 1998
• Communications Act 2003
• Privacy and Electronic
Communications (EC
Directive) Regulations
2003 (PECR)
• Investigatory Power Act
2016
Laws objective fulfillment
• UK's General Data Protection Regulation (GDPR)
allows data to be transferred out of country to be used
and passed in other European countries and rest of
the world but does not apply processing of data that
is carried outside of UK increasing the vulnerability
of piracy of data and smuggling of the same
• Computer Misuse Act (CMA) allows legal access to
an individual's data and information by an
organization and government body in accordance
with any liability attributed to the individual
(lexology.com)
• Citizens of UK have been accused under
Communications Act as they were imposing threats
to the country by means of media transfer and
communication
Conclusion

• It is evident from this investigative report

that UK has not been up to the
requirements and measures in defending
from cyber attacks such as Microsoft’s
breach by Hafnium
• Affecting technology and economy of
affected servers all around the world has
led Hafnium affect Microsoft on their
business and shares worldwide
• From this investigative report it can be
concluded that UK’s ability to protect its
citizens from data piracy and smuggling
is not up to the necessary requirements
and needs to proper reforms and
advanced changes. 
Reference List
• AKDEMİR, N., SUNGUR, B. and BAŞARANEL, B.U., 2020. Examining the Challenges of Policing Economic
Cybercrime in the UK. Güvenlik Bilimleri Dergisi, (International Security Congress Special Issue), pp.113-134.
• Alfaro, D.L., 2019. Is ethical hacking in conflict with data protection? Clarifying issues and resolving
conflicts. Philosophy and Practice of Bioethics across and between Cultures, p.194.
• Allhoff, F. and Henschke, A., 2018. The internet of things: Foundational ethical issues. Internet of Things, 1,
pp.55-66.
• Almeida, V.A., Doneda, D. and de Souza Abreu, J., 2017. Cyberwarfare and digital governance. IEEE Internet
Computing, 21(2), pp.68-71.
• Apau, R., Koranteng, F.N. and Adu, S., 2019. Cyber-crime and its effects on E-commerce technologies. Journal
of Information, 5(1), pp.39-59.
• Azad, M.M., Mazid, K.N. and Sharmin, S.S., 2017. Cyber crime problem areas, legal areas and the cyber crime
law. International Journal of New Technology and Research, 3(05), pp.01-05.
• BBC NEWS, 2021, March, 11. Exchange email hack: Hundreds of UK firms compromised [online], Available
at: https://www.bbc.com/news/technology-56365372 [Accessed on: 17.04.2021]
• Bonakdarpour, B., Deshmukh, J.V. and Pajic, M., 2018, November. Opportunities and challenges in monitoring
cyber-physical systems security. In International Symposium on Leveraging Applications of Formal
Methods (pp. 9-18). Springer, Cham.
• Bradshaw, P., 2017. Chilling Effect: Regional journalists’ source protection and information security practice in
the wake of the Snowden and Regulation of Investigatory Powers Act (RIPA) revelations. Digital Journalism,
5(3), pp.334-352.
• Button, M., Brooks, G., Lewis, C. and Aleem, A., 2017. Just about everybody doing the business? Explaining
‘cash-for-crash’insurance fraud in the United Kingdom. Australian & New Zealand Journal of Criminology,
50(2), pp.176-194.