Information Technology

Ireland’s health service is still suffering from significant disruption more than three weeks after falling victim to a ransomware attack.The Health Service Executive (HSE), which is responsible for healthcare and social services across Ireland, shut down all of its IT systems following the attack last month.

ZDNet Recommends

Many of these systems were shut down as a “precaution” in order to stop the spread of the ransomware, which HSE described as a variant of Conti ransomware. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  The health service vowed not to pay the ransom – which has been reported as a demand for $20 million in Bitcoin – and Dublin’s High Court issued an injunction against Conti in an effort to prevent the criminals leaking stolen data for not being paid.HSE has been providing regular updates following the cyberattack and as of 3 June – three weeks after the initial incident – services around Ireland continue to see what’s described as “significant impacts and disruptions to services”.Essential and urgent services, including COVID-19 vaccinations, are operating, but patients are still being warned they could face delays and cancellations to appointments because “systems are not functioning as usual” due to “critical IT systems” still being out of action.

Services like blood tests and diagnostics are taking much longer to operate than usual because the ongoing fallout means doctors, nurses and other staff are relying on manual processes in the meantime.According to HSE, this is expected to continue for “a number of weeks” as efforts are made to safely deploy a decryption tool to the restore 2,000 IT systems – each consisting of infrastructure, multiple servers and devices – affected by the ransomware, based on clinical priority. Despite the attempt at an injunction, HSE has warned the public that criminals could attempt to exploit the confusion and worry around the safety of their medical data to scam and defraud people.”People receiving any suspicious calls, texts or other contacts seeking personal or banking details are advised to report these contacts to their local Garda station or the Garda confidential line 1800 666111,” said an HSE statement.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upThe HSE incident is just one of a string of high-profile ransomware attacks to have hit organisations around the world in recent weeks. Colonial Pipeline, which supplies almost half of fuel to the United States eastern seaboard, was hit by a ransomware attack and paid cyber criminals using Darkside ransomware over $4 million in Bitcoin in exchange for the decryption key.Meat processor JBS was recently hit with a ransomware attack by the REvil criminal group, while Fujifilm has also fallen victim to a ransomware attack in recent days.The rise in ransomware attacks has led to the White House urging organisations to take the threat posed by cyber criminals seriously.”All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” said Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging technology.”Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.”MORE ON CYBERSECURITY More

A financial crime monitoring platform has just announced the results of its latest financial crime report. The report from  Feedzai analyzes 12B global transactions from January to March of this year in order to identify the latest fraud, banking, and consumer trends.

The top line results are … dispiriting.Bank fraud attacks have increased 159% over the past year and phone banking fraud has seen a 728% increase. Over 90% of fraud attacks occurred online, and California, where I live, won the unwelcome distinction as the top state for fraud. Take that, New York.The jumps follow a post-pandemic logic. Coming out of lockdown, people are starting to spend more money locally and internationally. The time covered by the report saw a 410% increase in international transactions. Transaction volumes are increasing back to pre-pandemic levels, and fraud has followed close behind. At the same time, an increased reliance on digital services during the pandemic has placed consumers more at risk for online and phone fraud, particularly among consumers who previously preferred to shop in stores and may be less digitally savvy.”The world may have paused in 2020, but financial criminals did not,” says Jaime Ferreira, Senior Director of Global Data Science at Feedzai. “Reliance on digital forms of shopping, banking, and payments actually made it easier for fraudsters to attack more people, more quickly. As fewer consumers feel the need to walk into a bank branch or a mall we need to adapt financial services and payments to protect consumers. And as consumers, we need to continue to be vigilant and educate ourselves on how to stay safe.”

ZDNet Recommends

According to the report, banking is the primary channel for fraudsters, whether online, in-person, or by phone. I recently listed an item on Craigslist and was met with a barrage of scams, some obvious, some rather elegant, all directed at perpetrating some form of rip-off, including attempting to access my bank account. With many bank branches closed or operating during limited hours during the pandemic, banking has shifted primarily online and over the phone, the perfect sandboxes for cheats.Following California, the states with the highest fraud were Florida, Washington, Arkansas, and New York. Interestingly, Android devices see 1.9 times more fraud than iOS devices, despite having only half the transaction volume of iOS. The report suggests Apple’s tighter control of apps on the App Store makes it more difficult for fraudsters to infiltrate the platform.

All of this speaks to a need for greater vigilance than ever, which may be a tough message to sell as parts of the world that believe the worst of the pandemic is behind them cast a collective sigh of relief and shake off the dust heading into summer. The Feedzai Financial Crime Report Q2 2021 can be found in its entirety here. More

Google is expanding its Enhanced Safe Browsing feature in Chrome 91 to protect users when they’re installing a new extension from the Chrome Web Store. Chrome will start displaying a new dialogue warning users to proceed with caution if an extension is not trusted by Enhanced Safe Browsing. 

Google rolled out Enhanced Safe Browsing last year as an opt-in protection against phishing and malware sites, to catch instances where it missed detecting these sites before users visited them. The feature used Chrome to share more security data with the service to check dodgy URLs in real time to determine whether a site is a phishing site.SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)Now Google is using Enhanced Safe Browsing to improve its management of developers who publish extensions to the Chrome Web Store. This could create obstacles for extension developers who are new to the Chrome Web Store, as it will take a few months of abiding by Google’s policies to be considered trusted.”Any extensions built by a developer who follows the Chrome Web Store Developer Program Policies, will be considered trusted by Enhanced Safe Browsing. For new developers, it will take at least a few months of respecting these conditions to become trusted,” Badr Salmi from Google Safe Browsing and Varun Khaneja from Chrome Security explain in a blogpost. “Eventually, we strive for all developers with compliant extensions to reach this status upon meeting these criteria. Today, this represents nearly 75% of all extensions in the Chrome Web Store and we expect this number to keep growing as new developers become trusted.”

The new framework for trusted developers follows Google’s year-long effort to clean up the Chrome Web Store from scammy and phishing extensions. Even after a crackdown last August, millions of users installed 28 malicious extensions.  Chrome users can opt into Enhanced Safe Browsing by going to Settings and clicking through Privacy and Security settings > Security > and then checking ‘Enhanced protection’ mode under Safe Browsing. Users should note that this does allow the service to share data that’s temporarily linked to a Google account if the user is signed into Chrome. But Google claims that Chrome users who do enable Enhanced Safe Browsing are successfully phished 35% less than other users, so there may be a good security reason to enable it.Google is also bolstering download protection in Enhanced Safe Browsing to improve protections when downloading potentially risky files from the web. SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingUsers will get a warning when it detects a suspicious file and suggests the user sends it to be scanned for further analysis. A first check is run through the standard Google Safe Browsing services.If you choose to send the file, Chrome will upload it to Google Safe Browsing, which will scan it using its static and dynamic analysis classifiers in real time. After a short wait, if Safe Browsing determines the file is unsafe, Chrome will display a warning. As always, you can bypass the warning and open the file without scanning. Uploaded files are deleted from Safe Browsing a short time after scanning.

Google I/O 2021 More

With more of our personal information being sent and stored via the internet, fraud and identity theft continue to rise. There are plenty of great options available for reasonable prices that can help to protect your identity, personal information, and credit score.

Middle-of-the-road option in terms of price

Pricing:  Individual plans ranging from $7.50 to $25 per month and family plans from $12.50 to $33.33 per month.While perhaps a bit lacking in its monitoring services, Aura’s Identity Guard is one of the most comprehensive in identity theft protection. Using an IBM Watson artificial intelligence program, Identity Guard scans the dark web for personal information such as social security numbers or banking information. This level of protection is the best available, but credit monitoring is not as robust. Identity Guard monitors three credit bureaus, but credit reports are only available once a year, and there is no opt-in for fraud alerts. This is a middle-of-the-road option in terms of price.Pros:Anti-phishing mobile app.Bank account and investment account monitoring.Customer service is rated A+ with BBB.IBM Watson artificial intelligence scanning program.Identity theft insurance up to $1 million.Monitors all three credit bureaus.Offers safe browsing tools to protect online shopping, banking, or bill paying.Reduces telemarketing calls, junk mail, and phishing emails.Social insight reports.Tax refund fraud alerts.Three different plans provide flexibility.Cons:Credit reports only once per year.Does not offer a specific computer tool package.No fraud alert with credit bureaus.No “limited power of attorney” for recovery services.No money-back guarantee.Pricey mid-tier and upper-tier plans.Single bureau credit score.

View Now at Identity Guard

Decent basic and cheaper option

Pricing: Ranging between $9.99 and $17.99 per month for individual plans. Identity Force also offers custom family plans and enterprise plans to businesses.Depending on which option you choose, Identity Force can either be very high on this list or very low. The basic and cheaper option is decent in terms of identity theft protection, but its credit monitoring feature doesn’t offer reports, scores, or a broad monitoring scope. However, the more expensive plan is excellent and could reach the best on this list. This is one of the more pricey options, but an annual subscription and family plan would help to lower the overall price. Pros:Access to credit report fraud assistance.Credit freeze button.Credit score simulator with the higher plan.Customer service is rated A+ with BBB.Dark web monitoring.Identity theft insurance up to $1 million.Junk mail opt-out.Offers a VPN.Quarterly credit reports.Social media identity monitoring is in the basic plan.Two-factor authentication.Two months free on annual plans.Cons:Above-average price.Best features are limited to a more expensive plan.You can’t contact customer support through the iOS app.Information like IP address, web beacons, and browser fingerprinting is collected during the registration.The lower tier plan doesn’t offer credit monitoring for all three bureaus.No refunds for cancelling the service.Only two plan options.Subpar mobile app.

View Now at Identity Force

Best way to cover a large family

Pricing: Individual plans range from $13.95 to $17.95 a month. The family plan ranges from $19.95 to $32.95 and is where the real value lies.If you are looking for the best way to cover a large family, this is probably the best option. By offering coverage for 10 people in their family plan, IDShield has the best family plan. Individual plans lack computer protections such as VPN or anti-virus software. For families, there’s no better option.  Pros:Alerts you whenever sex offenders move to your area.Bank accounts monitored.Customer service rated as A+ with BBB.The family plan is available for up to 10 people.Identity theft insurance up to $5 million.Monitors all three credit bureaus with 12-month credit score tracking.Offers additional educational resources.Quarterly credit reports.Will assign a private investigator to help restore a stolen identity.Cons:Above average price for individual plans.Alerts must be activated to receive them.Confusing setup.Limited plan levels and options.No computer protections.No credit reports.No credit simulation.No 401(k) or retirement account monitoring.No VPN or anti-virus software.Single bureau credit score.

View Now at ID Shield

LifeLock’s identity fraud protections are among the very best

Pricing: Basic plans start at $8.99 a month and provide “good enough” internet security, but the best protection comes with the more expensive plans that cap out at $34.99 per month.It can be pretty hard to beat Norton when it comes to internet security, but LifeLock is an excellent alternative. LifeLock’s identity fraud protections are among the very best. LifeLock’s identity theft insurance is some of the best on the market, but credit monitoring is among the worst on this list. Most egregiously, LifeLock doesn’t have a family plan. Instead, each child must have their own junior plan, which is about $5.99 extra per child every month. Pros:All plans provide identity theft insurance.Constant dark web scans for personal data.Includes VPN.Insurance includes stolen funds reimbursement and personal expense compensation.Norton 360 software is available with some plans, excellent protection against viruses, spyware, and malware for up to five different devices.Real-time fraud alerts are available by text, phone, and email.60-day money-back guarantee with the annual plan.Three different plans available: Standard, Advantage, and Ultimate Plus.Tracks social security number.Up to $1 million for lawyers and experts, $25,000 to $1 million for stolen funds and personal expense compensation.Cons:Above average price.Coverage for children is an additional $5.99 for each child per month.Credit file can only be locked with one bureau, not all three.Must meet credit requirement to be eligible for credit protection and monitoring.No credit simulator.No family plan offered with LifeLock. Must purchase an additional junior plan for children.The standard plan comes with less identity theft insurance.The standard plan lacks alerts such as bank account and credit card activity.Standard and Advantage plans only monitor one credit bureau.

View Now at LifeLock

There are better options available

Pricing: The plans range in price from $9.99 to $24.99 monthly, so if you are only looking for very certain coverage, you could find a good one for cheap. PrivacyGuard essentially offers an identity theft protection plan, a credit reporting plan, and a plan that includes both. So in that way, it’s good for giving you exactly what you want, but some of the plan options severely lack what some may consider crucial features. However, there are better options available on this list for a similar price when it comes to comprehensive coverage.Pros:All three credit bureaus monitored with some plans.Antivirus software.Customer service rating of A+ with BBB.Monthly blended credit reports are available with some plans.New users can try any plan for two weeks for just $1.Three different options are available with different options.Up to $1 million identity theft insurance with some plans.Cons:No bank account monitoring.No family plans offered.Social network monitoring not provided.Some plans have glaring gaps in credit or identity monitoring on their own.

View Now at PrivacyGuard

What do identity theft protection services do?

These services will monitor websites and various databases for any signs of your personal information such as social security number, driver’s license number, bank account number, credit card number, etc. If any of this information is found online anywhere, it could be used in many different ways to steal money from you. These protection services will typically alert you and inform you of what you should do to prevent any future issues or help you to recover from theft. 

What are the signs of identity theft?

The most common signs associated with identity theft are collection calls or credit reports related to accounts you didn’t open, unexpectedly being denied a loan or credit card, and bills for accounts you didn’t open. It can take a long time before seeing evidence that your identity has been stolen and will come quickly and surprisingly. 

What should I look for in an identity theft protection service?

There are several things on the checklist that you should adhere to when searching for an identity theft protection service. Arguably the most important aspects when comparing one to the other would be: their monitoring and how extensive it goes, their alerts and how quickly you will be notified of fraud attempts, and recovery and how much insurance is offered and additional help and services.

Which is the right service for you?

Overall the best plan for protecting your identity and monitoring your credit as an individual is probably Identity Guard. While its credit monitoring is a little lacking, it comes through with its identity theft protection. However, if you are looking to cover your entire family, then you may want to look into IDShield, particularly if you have a large family that you want to protect. 

ZDNet Recommends More

The Australian Bureau of Statistics’ (ABS) latest Business Characteristics Survey (BCS) has revealed there were four main factors that prevented or limited businesses from using IT during the 2019-20 financial year.These factors were lack of skilled persons within the business, unsuitable internet speed, insufficient knowledge of IT, and uncertainty around the cost of IT and its benefits. It was the first time the annual survey questioned Australian businesses about this. Another first-time question that was introduced to the survey looked at what type of IT businesses used during the financial year. According to the survey, cloud technology was the most popular type of IT technology, which was used by 57% of all businesses, followed by cybersecurity software with 26%. Down at the bottom of that list was 3D printing and blockchain technology.In terms of cloud usage, 55% of all businesses reported using paid cloud computing in 2019-20, which is 13 percentage points higher than the 42% recorded in 2017-18. The use of paid cloud computing increased with each consecutive employment size category, ABS said, pointing out that 81% of businesses with 200 or more persons employed reported using this service.The survey also showed that 12% of innovation-active businesses — defined as “businesses that had undertaken any innovative activity” — reported using Internet of Things (IoT) technology compared to 3% of non innovation-active businesses. Similarly, 9% of innovation-active businesses said they used data analytics versus the 2% of non innovation-active businesses.Unsurprisingly, 95% of businesses with 200 or more persons employed were most likely to report using one or more form of IT.

When the ABS surveyed businesses about cyber attacks, 8% saw a decline in the number of online security incidents and breaches during the full year, compared with 11% in 2017-18 and 16% in 2015-16. In 2019-20, 20% of all businesses reported having upgraded their cybersecurity software, standards, or protocols as part of their management practices.The ABS also took the opportunity to note that the BCS is currently undergoing a “redevelopment process” to “capture more detailed information on the two principal topics” of innovation and business use of IT.The redeveloped BCS innovation module will be a standalone survey, while the collection of business use of IT and other topics will be combined in another survey, both of which will run every two years and conducted on alternating reference years, ABS said. The first innovation-focused collection will cover 2020-21, followed by the business use of IT survey in 2021-22. Related Coverage More

The minister responsible for the National Disability Insurance Scheme Linda Reynolds has apologised after a breach was committed against a woman who had experienced domestic violence.It was reported Friday morning that the National Disability Insurance Agency (NDIA) gave the private details of the woman and her children to the perpetrator who was recently released from jail.As detailed during Senate Estimates, the information included the location of the children’s school and the names of professionals working with one of the children. “The first thing I’d say is I unreservedly apologise for that, it should not have happened,” Reynolds said. “I’ve asked the NDIA for a full report on that. My first priority, and the NDIA’s first priority, is the safety and the privacy of the woman and the family concerned, and then also to work out how this happened and to make sure that it doesn’t happen again.”Also offering an apology to the victim was NDIA CEO Martin Hoffman, who said the investigation into what happened was already underway.”I can confirm that alerts were properly placed on the CRM record of this participant, the child, with the mother, in terms of the contact arrangements that should be in place. I can also confirm that the father had properly been removed from the child representative field, which is a field that drives the automated mail out of plan materials,” he explained.”I can also confirm that the information supplied was not the actual address of the family, but … did include location details, basically the suburb, and other material.

“I’ve asked for a very rapid and thorough review as to what happened in this case, given that the actions in the CRM of the alert and the removal of the father from the child representative field had been done at the appropriate time.”Hoffman said he was alerted to the breach on Wednesday; Reynolds said she became aware on Friday morning.NDIA officials were probed on how they became aware of the incident, specifically, if it was in response to a media enquiry.”I didn’t get it through that channel, there was one at the same time, but we also had it escalated through the national contact centre,” Hoffman said.Labor Senator Jenny McAllister quoted the victim as saying in the initial media report that her pleas to the NDIA “fell on deaf ears”, as she was asked to send an email after calling to report the incident. She asked Hoffman if he was satisfied with the actions of his agency in the aftermath.”I’m clearly not satisfied that the communication, through the mail out of plan materials, included information that should not have been provided to the father, absolutely,” he said. “I am satisfied that the agency has very actively engaged repeatedly with the mother and the family in terms of rapid plan variations, additional support, engagement with other agencies in Victoria, to ensure the coordination of support, be it housing or safety, etc.”That activity has been extensive and ongoing, and is continuing today.”All I know, is that we’re proceeding to, as I said, understand fully the systems issues here, noting, as I said, that the right alerts and the right removal from the child rep field were done at the appropriate time.”Hoffman also said the NDIA has “very clear” approaches in terms of the identification and approval requirements for people to gain access to information about participants and their plans, through both the national contact centre and in-branch.”This is a very complicated area, there are often disputes, claims and counterclaims are made, timing of receipt of court orders, intervention orders, etc goes to this,” he said. “But this is an area that we do have policy and process to try and maintain the security of that information.”The apology from Reynolds comes merely 24 hours after Minister for Families and Social Services Anne Ruston apologised to a survivor who had their personal information breached when the details of their application to the National Redress Scheme were uploaded directly to another person’s myGov account.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527SEE ALSOServices Australia penalised for breaching privacy of a vulnerable customerThe agency’s process for updating personal information in a domestic violence situation was not only alarming, but was found to be a breach of privacy by the Information Commissioner, too.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Minister apologises for myGov breach of Redress Scheme survivor’s informationMinister Anne Ruston has apologised to a survivor who had her application to Australia’s National Redress Scheme shared with another survivor via the government’s myGov portal. More

The Supreme Court ruled against the government in a case centered around the Computer Fraud and Abuse Act (CFAA) on Thursday, writing that the Justice Department’s interpretation of the law was too broad and effectively attached “criminal penalties to a breathtaking amount of commonplace computer activity.”The 6-3 decision put a limit on how the federal government can use the law to prosecute those who unlawfully access a system. In her majority opinion, Justice Amy Coney Barrett wrote that Nathan Van Buren — a police officer from Cummings, Georgia who was convicted for taking a bribe to look up a license plate — did not violate the CFAA because as an officer he was given full access to the license plate database. 

ZDNet Recommends

Barrett was joined by Justices Sotomayor, Gorsuch, Kagan, Kavanaugh and Breyer, while Thomas, Alito and Chief Justice Roberts dissented. Barrett argued that by saying Van Buren exceeded his “authorized access” as a police officer, the government was criminalizing “every violation of a computer-use policy.” If that was the case, Barrett said it would mean that “millions of otherwise law-abiding citizens are criminals.” Lawyers and legal experts had a wide range of responses to the ruling depending on the client base. The ACLU praised the decision, listing specific instances where the expanded reading of the law criminalized everyday activity and research.  Esha Bhandari, deputy director of the ACLU’s Speech, Privacy, and Technology Project, called it an “important victory for civil liberties and civil rights enforcement in the digital age,” adding that it will “allow researchers and journalists to use common investigative techniques online without fear of CFAA liability.” Erez Liebermann, a partner at Linklaters, said companies and government entities now need to take extra steps to place technological barriers around data in their companies if they want to restrict access to employees.  While this will add costs, Liebermann said it may make data more secure, both from internal users and hackers roaming through a company’s system. 

“The Court’s opinion removes a strong criminal deterrent. Employees who might have shied away from theft of internal data because of the fear of prosecution or civil action have caught a break,” Liebermann explained. “Terms of Use and Authorized Use Policies, which already had little teeth given that most people don’t read them, just had a few more teeth knocked out. It’s doubtful that they could form the basis of a criminal prosecution or civil action.”Mark Langer, a privacy associate with Aleada, said critics and activists have fought against the law for years because the CFAA’s current structure gives the government broad authority to prosecute and then rely on prosecutorial discretion to ensure that this authority is not abused. “Having the Supreme Court push back on this sweeping interpretation of the CFAA is a huge step for reining in the CFAA’s scope. Solving this problem goes far beyond the scope and facts of one case, and it is the job for a legislature, not a judge. Hopefully this case will provide momentum to Congress’s efforts to bring these laws into the 21st century,” Langer said. Epstein Becker Green lawyer Aime Dempsey explained that since the law was passed in the 1980s, it was used to prosecute hackers and as a way for companies to sue certain employees for damages and other penalties.  Dempsey echoed Liebermann’s sentiment, telling ZDNet that employers needed to place more stringent limits on employee access now that the Supreme Court has ruled that even if unlawful access may violate company policy, it would not violate the CFAA.  “If a company has a policy that someone will get fired if they misuse information, this decision wouldn’t change that at all. It would only change the access to this particular statute of the CFAA criminally or civilly,” Dempsey said. Alan Brill, senior managing director in the cyber risk practice of consultancy firm Kroll, said that the ruling “isn’t giving people a free pass to steal or misuse data because there are other laws to use in certain cases.”Companies will need to look at how their systems are built and whether they are giving too many employees access to too much information, he said.  “I would probably call together the general counsel, the HR manager, the IT manager and the compliance officer and I would look at what our organization’s rules are for use and misuse of data. I would want to make sure that they were very clearly spelled out and I would want to make sure that they were spelled out appropriately in light of the other laws and labor laws,” Brill explained.  Rules and penalties should be explained and sketched out in compliance with collective bargaining agreements, Brill added, noting that some companies should consider having employees sign updated non-disclosure agreements or computer use agreements. “This is a multi-dimensional problem that needs a well-thought-out, multi-dimensional answer,” Brill said. “But if we stick with the basics, giving people access to what they need and not giving them access to what they don’t need, we’re going a long way to immunizing ourselves from the effects of this decision.” More

The US Supreme Court has ruled that a police officer who obtained information from a licence database for a civilian, in exchange for money, did not violate federal hacking laws. The ruling clarifies the scope of the Computer Fraud and Abuse Act of 1986 (CFAA) and what kind of conduct can be prosecuted. The CFAA became law after the US government found cybercrimes and hacking were not sufficiently addressed by legislation at the time. The case arose after the Federal Bureau of Investigation caught former Georgia police officer, Nathan Van Buren, using his patrol-car computer to access a law enforcement database to retrieve information about a particular license plate number in exchange for money. When making the search, Van Buren used his own, valid credentials. After Van Buren was first charged, a US District Court convicted him of two charges: Violating police department policy of obtaining database information for a personal purpose and violating the CFAA by using a computer network in a way contrary to his job. Van Buren appealed those charges, however, which eventually brought the case to the US Supreme Court and its judgment. At the Supreme Court, the justices ruled 6-3 in favour of Van Buren as he had access to the database as part of his valid credentials. When making that ruling, the justices framed their judgment on whether Van Buren “exceeded his authorised access” when accessing the license plate database.

“In the computing context, ‘access’ references the act of entering a computer ‘system itself’ or a particular ‘part of a computer system,’ such as files, folders, or databases,” Justice Amy Coney Barrett said, who wrote the majority opinion. “It is thus consistent with that meaning to equate ‘exceed[ing] authorised access’ with the act of entering a part of the system to which a computer user lacks access privileges.” The three judges who dissented against the decision, Justices Clarence Thomas, Samuel Alito, and John Roberts, believed that Van Buren did breach the hacking laws as he was forbidden from using the computer to obtain the licence information. “Van Buren’s conduct was legal only if he was entitled to obtain that specific license-plate information by using his admittedly authorised access to the database. He was not. A person is entitled to do something only if he has a ‘right’ to do it,” Thomas wrote in his dissenting opinion. In making the dissent, Thomas analogised Van Buren’s conduct to an employee pulling an alarm for a self-motivated reason or a valet accessing a patron’s car and then proceeding to go on a joyride. “An employee who is entitled to pull the alarm in the event of a fire is not entitled to pull it for some other purpose, such as to delay a meeting for which he is unprepared,” Thomas wrote. With the judgment, the CFAA charge against Van Buren has been dropped, while the charge for violating department policy remains intact. Related Coverage More