back to article Swedish city demands £40,000 to repair teenage hacking spree

A Swedish local authority is seeking almost £40,000 in damages from a 17-year-old who hacked its IT system. Umeå, in northern Sweden, is demanding half a million Swedish kroner from Erik Sundqvist as compensation for damages incurred after the then-16-year-old hacked into the municipal system. Sundqvist, who says he only …

  1. SolidSquid

    Was expecting to see claims that he'd deleted files or something, but if they've pretty much confirmed all he did was view the passwords then frankly they should be paying to secure it properly themselves (as they should have done in the first place). If it was really as easy to access as he's making it out to be then the only safe assumption is that the system was already compromised by others too. Sounds like they're trying to get someone else to foot the bill for what they should have done themselves

    1. Jimmy2Cows Silver badge

      Well said. Sadly this is the way it always goes down. Fail to implement proper security, and when someone does "hack" the system send the "hacker" the bill for daring to point out the incompetence.

      1. Anonymous Blowhard

        "when someone does "hack" the system send the "hacker" the bill for daring to point out the incompetence"

        And if they leave the town hall doors unlocked, anyone who checks and then tells them will have to buy new locks and an alarm system.

    2. Afernie

      Also, suggesting that it will somehow cost some of that £40000 to change 600 passwords strongly suggests that they think scripting is something telemarketers use.

      1. Jimmy2Cows Silver badge

        £40k to change 600 passwords

        Were do I apply? I'll do it for £30K in my lunch break.

        1. Anonymous Coward
          Anonymous Coward

          Re: £40k to change 600 passwords

          Were do I apply? I'll do it for £30K in my lunch break.

          :). I think this is a massive own goal. Not only did they publish that they couldn't run a safe system if they wanted to, they also made it clear that will fail to do so in the future because they don't seem to have the right idea of what it takes.

          Unauthorised testing for vulnerabilities is in many countries a crime, for fairly logical reasons - but you can choose how to react when someone at least tells you what they found. Others will not.

          It can indeed take a good € 40k because you need to audit the system, and I suspect they will probably get in some big name consultancy so they can show that they have thrown money at the problem to offset any liabilities. Where they went completely wrong was managing the media impact - by seeking to kill the messenger they have created adverse publicity, wasted goodwill and probably set themselves up for a more thorough probing from all and sundry who don't like the idea of taking a friendly to court.

          *Not* the brightest response IMHO.

      2. Annihilator
        Trollface

        "other unspecified costs."

        Which makes me think "expenses", which in turn makes me think they got a consultancy firm to do it.

        1. I. Aproveofitspendingonspecificprojects

          > makes me think they got a consultancy firm to do it.

          It made me think they still hadn't done it at the time of writing, which means that some generous soul still has time to nip in and round up a few passwords with the idea of selling them off for the 40,000 to pay for the lad's seek and ye shall fined

    3. TheVogon Silver badge

      "The authorities say the compensation will in part pay for the time spent going through their systems to change the passwords"

      But they should be doing that regularly anyway!

    4. NoneSuch
      Black Helicopters

      Obviously a radical

      "He said it was ridiculous that a public IT system that stores personal data on so many people should be so unsafe."

      My lord. Actually asking government to use more than a tab + slot cardboard flap to protect their users data? What a revolutionary! Then forcing them to change passwords, but not fix the underlying vulnerability that got him in there in the first place. There's a sensible and thorough solution to correct things. (Not.)

      Let's not fix the problem, let's just charge the person who highlighted the problem to the public. They should go work for the American government with that attitude.

  2. Anonymous Coward
    Anonymous Coward

    I think I read in a local article that he actually tried to warn them first, but they didn't listen to him, and that's why he decided to show them. Don't know if that is actually true or not though.

  3. LucreLout Silver badge

    Surely they should be sacking whomever is in charge of their system security and hiring this guy as a consultant to his replacement, assuming he doesn't want the job himself?

    Passing on the bill for proper security to the guy that pointed out what you had wasn't worth shit seems unfair. People have very little choice about allowing the state to hold whatever data they please about us. The minimum we're entitled to expect is that it'll be kept securely, and that there will be consequences when its not (lessons are only learned once heads have rolled).

    1. Anonymous Coward
      Anonymous Coward

      Job application @LucreLout

      probably not the most original job application ever, and it has to be better than shooting someone to prove their close protection needs improving, but let's see what happens!

      1. LucreLout Silver badge

        Re: Job application @LucreLout

        probably not the most original job application ever, and it has to be better than shooting someone to prove their close protection needs improving, but let's see what happens!

        I'm not sure that's equivalent... Maybe shooting them with a nerf gun perhaps.

    2. Jimmy2Cows Silver badge

      @LucreLout

      That should happen, of course, but that means they'd have to admit they screwed up. Which is never gonna happen.

      Far better to say "we were hacked" because Joe Public believes hackers are scarey evil monsters. Saying "someone found our unsecured, unencrypted password database and showed us what a bunch of morons we are" doesn't have the same ring.

      Heads have rolled. Sadly, as ever, the wrong ones.

      1. Danny 14 Silver badge

        Re: @LucreLout

        sadly enough he has a criminal network for hacking now so he wont be able to get a job on the council.

  4. Christoph Silver badge

    We know our system is secure because nobody points out any faults.

    If anyone does point out any faults, we sue them.

    See? Nobody points out any faults.

    What could possibly go wrong?

  5. Anonymous Coward
    Anonymous Coward

    Still fair compared to other countries...

    35 hours community service and a 5-digit bill for breaking into local authority websites isn't that harsh at all. Let's not forget that what he did is still illegal.

    In other countries, especially on the other side of the big pond, he would have been locked away for a long time, paying compensation in the millions, and possibly be branded a terrorist for good measure...

    1. Anonymous Coward
      Anonymous Coward

      Re: Still fair compared to other countries...

      done for deterrent value?

      Same principle as shops taking civil action against a shoplifter for costs incurred as a result of the theft. Even if the magistrate tells them they've been a bit naughty and they shouldn't do it again and imposes a minimum fine, they get stung for a bit more.

      1. gnasher729 Silver badge

        Re: Still fair compared to other countries...

        According to what I have been reading, there was no or very little cost caused by his hacking. The cost is due to them having insecure systems. If they had hired a security consultant to check the security of their passwords, and the security consultant had told them that they were so badly protected that a 17 year old without any special knowledge could read their passwords, then they'd have to pay the same bill.

      2. MonkeyCee Silver badge

        Re: Still fair compared to other countries...

        "Same principle as shops taking civil action against a shoplifter for costs incurred as a result of the theft."

        There's very strict rules on what they can charge for that, mainly based on value of items they nicked. You can't charge a shoplifter for the costs of a CCTV system installation, or claim that they have to pay $40k for the security firm to do it's fcking job properly.

        Also seems to fail the deterrent value test. If you white hat it, point out the insecurity you get fined and prosecuted. If you steal the information, use it to cause harm or gain profit, you get fined and prosecuted.

        Should have made his community service to toughen up their infosec. Well, except that it probably boils down to "is very inconvenient being secure. Please give everybody all the access to all the passwords". Or perhaps it's the "we haz autosaved passwords everywhere, we iz super secure".

        If people treated physical security like infosec they would get laughed out of court.

    2. Anonymous Coward
      Anonymous Coward

      Re: Still fair compared to other countries...

      And that makes it right, because?

    3. Buzzword

      Re: Still fair compared to other countries...

      And where exactly does a 17 year old find £40,000 to pay the fine?

      1. Danny 14 Silver badge

        Re: Still fair compared to other countries...

        he probably saved them more than 40k in identity theft by forcing them to shore up their defences. Other companies tend to offer BOUNTIES to point out issues like this. He didn't sell the passwords on, they "caught" him because he tried to tell them.

      2. Richard 26

        Re: Still fair compared to other countries...

        "And where exactly does a 17 year old find £40,000 to pay the fine?"

        He wasn't fined; the city is asking for damages. That's not the same thing at all. And asking isn't the same thing as getting.

  6. Graham Marsden
    Thumb Down

    How do you say...

    ... "pour encourage les autres" in Swedish?

    Oh, just like in the US and the UK you don't shoot the guy whose failed in their responsibility to make sure the system was secure in the first place, you punish the guy who demonstrated the problem because nobody would listen.

    1. NorthernCoder
      Headmaster

      Re: How do you say...

      "För att avskräcka de andra" if you want to discourage or "För att uppmuntra de andra" if you want to encourage.

      It should be noted that there is a difference of opinion between the young man and the city council whether he actually cooperated when the breach and malware was discovered.

      Oh, and it should be "kronor", not "kroner" for the plural of the currency.

      1. Glenturret Single Malt

        Re: How do you say...

        The point is that "pour encourager les autres" isn't about encouraging or discouraging at all. The verb is being used ironically. The phrase is often associated with another much-argued word, decimate. If the occupying Romans had to put down a local uprising, then they might kill a tenth of the subdued male population "pour encourager les autres".

  7. Ashton Black

    My 2p on this...

    If the kid told them, before the hack, that "x" exploit was open, but they ignored him and did nothing, with a reasonable fix time, then they have been negligent and in my opinion, should be liable for their own security costs. (Bearing in mind, the kid does now have a criminal conviction over and above their sueball.You can't sue a burglar for the cost of a security system, after leaving your windows open.)

    If however, this was a straight black hat hack, then yes, he should be liable.

    It doesn't state if this was the case or not.

  8. Rande Knight

    And this is why you always alert people anonymously - a lot of people with power like to shoot the messenger when they don't like the message.

    1. Sarah Balfour

      He's probably thinking the exact same thing in hindsight…

      …it's either teenage naïveté - or greed (in that he thought that, by not hiding his identity, he'd be hailed a hero and a massive reward would be his).

      Although I will concede that not ALL teenagers are money-grabbing shits, just most… ;OD I have to say my image of Sweden is changing rapidly.

    2. DNTP

      "Unfortunately we cannot respond to anonymous security tips due to concerns about the validity of such sources and the difficulty of arresting and prosecuting the providers of this information."

  9. Anonymous Coward
    Anonymous Coward

    This is precisely the problem...

    ...failure to impose a deterrent to hacking. 35 hours community service is an insult when this person could have just told the appropriate people why he believed they system was insecure instead of actually hacking it. Proof of concept could be done by the authorities. The kid should at least pay the damages and be held accountable for hacking - which 35 hours community service is not.

  10. ascii bandit

    The original article states, that it is not the first time he is charged with hacking, and that he repeatedly have tried to make the it department aware of the lack of security

    Furthermore, there is a quote from the judge, that the documented warnings will have no impact on the verdict.

    Nice work, there is a bloke who will never warn anybody of anything again.

    :(

  11. Mad Chaz

    Here is what this sounds like to me, by telling a story that I think equates to what happened.

    You are walking down the street and pass by a local police building. It's got a nice architecture so you go to take a closer look. You see, via a window, highly sensitive investigation files, right in view of anyone who could walk up to the window, like you just did.

    You walk in the front door and tell the officer on duty "Hey, I was passing by and noticed someone doing an investigation is leaving the files in plane view of the third window on the right from the door, you guys should be more careful."

    Then the cops reply "Sir, you're under arrest for breaking into police property and damaging the building security. Pay up a huge fine so we can install automatic curtains that stay closed at all time on the windows so it doesn't happen again".

    Yea ... the public is no longer allowed to point out incompetence in the gouv. That will never go wrong ...

  12. I. Aproveofitspendingonspecificprojects
    Headmaster

    > you guys should be

    You blokes should be

    FTFY

  13. Bob Dole (tm)

    Fine for the firm?

    What fine does the firm have to pay for storing passwords in a non-encrypted format?

    What fine does the firm have to pay for not bothering with any type of security on personal data?

    If this kid has to pay 40k, then I'd think the firm out to be hit with about a 4m one. Seems fair to me.

  14. cduance

    40k

    They should get fined by the ICO for a breach and potential loss of data perhaps 200k just to make the point that security is their problem and that suing a white hat hacker is just going to give every black hat hacker the green light to hack them because they don't take security seriously.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019