Key Legal Principles

Courts in the UK generally focus on:

• Whether access was authorised or exceeded authority
• Intent (mens rea) to access or misuse data
• Whether the accused had knowledge that access was unauthorised
• Whether the conduct involved systems, data, or credentials beyond permitted use

Important Case Laws (Unauthorized Access to Networks & Systems)

1. R v Gold & Schifreen [1988] AC 1063

This case involved hackers who accessed a telecom system using stolen credentials.

• They accessed a private electronic mailbox system (Prestel)
• The House of Lords held that existing forgery laws did NOT cover hacking
• This case directly led to the creation of the Computer Misuse Act 1990

Legal importance:

• Recognised the need for criminalisation of unauthorised computer access
• Established early recognition of “hacking” as a legal gap-filler case

2. DPP v Bignell [1997] 1 Cr App R 1

Police officers used the Police National Computer for personal purposes.

• They were authorised to access the system generally
• But used it for unauthorised purpose (personal gain)

Held:

• Not guilty under CMA Section 1 at that time

Key principle:

• At the time, misuse of authorised access ≠ unauthorised access (later clarified)

3. R v Bow Street Magistrates Court, ex parte Allison [1999] UKHL 31

A bank employee accessed American Express systems beyond his authority.

Held:

• Even if access to the computer exists, accessing data beyond authorised scope = offence

Key principle:

• Authority must relate to specific data or access level, not general system access

Importance for corporate networks:

• Employees exceeding permission boundaries commit CMA offences

4. Attorney-General’s Reference (No. 1 of 1991) [1992] QB 94

A defendant used one computer system to facilitate fraudulent access.

Held:

• Section 1 CMA does NOT require multiple computers
• Even internal system misuse can qualify as unauthorised access

Key principle:

• Internal corporate systems are equally protected under CMA

5. R v Martin [2013] EWCA Crim 1420

Involved DDoS attacks on university and police systems.

• Targeted Oxford & Cambridge systems
• Included PayPal account misuse

Held:

• Sentenced to imprisonment due to seriousness and disruption

Key principle:

• Corporate/government network disruption is treated seriously due to economic and operational harm

6. R v Brown (Charles) [2014] EWCA Crim 695

The defendant accessed bank accounts and altered account details.

• Used stolen credentials
• Potential financial loss was very large

Held:

• Conviction upheld under CMA Sections 1 and 2

Key principle:

• Accessing corporate financial systems without authority + intent to manipulate data = serious offence

7. R v Crosskey [2012] EWCA Crim 1645

The defendant hacked Facebook accounts and obtained passwords.

• Used social engineering (deceiving platform staff)

Held:

• Guilty under CMA Section 1

Key principle:

• Deception of system administrators still counts as unauthorised access

8. R v Mudd [2018] EWCA Crim 1927

Large-scale DDoS attack infrastructure provider case.

• Distributed malware tool creation
• Millions of cyber attacks facilitated

Held:

• Custodial sentence upheld due to scale and intent

Key principle:

• Providing tools for network intrusion is criminal liability under CMA

How These Cases Apply to Corporate Networks

From the case law above, UK courts treat unauthorized corporate network access broadly:

1. Employee misuse is still criminal

Even if someone has login credentials, accessing restricted data (HR files, finance systems, client databases) can be illegal (Allison).

2. External hacking is clearly criminal

Credential theft, phishing, brute force attacks all fall under Section 1 and 2 CMA (Gold & Schifreen, Brown).

3. Internal system abuse is included

Even within a company, exceeding permissions = offence (Bignell refined by Allison).

4. Large-scale attacks = severe sentencing

DDoS, ransomware, and disruption of corporate services lead to imprisonment (Martin, Mudd).

Conclusion

Unauthorized access to corporate networks in the UK is primarily prosecuted under the Computer Misuse Act 1990, and courts have consistently interpreted it broadly to cover:

• External hackers
• Employees exceeding authority
• Social engineering attacks
• Automated cyber-attacks (DDoS, malware)

The case law shows a strong judicial trend: any intentional access without proper authority, especially involving corporate systems, is treated as a serious criminal offence.