Hungarian ‘ethical hacker’ faces eight-year prison sentence

Man stands accused of ‘disturbing a public utility’

A hacker based in Hungary is facing eight years in prison for exposing vulnerabilities in the system of a major telco, local media reported this week.

The security researcher, believed to be a white hat, stands accused of accessing a database belonging to Magyar Telekom – the country’s largest telecommunications provider, also known as T-Systems – a court heard this week.

The Prosecution Service of Hungary is seeking criminal charges under “disturbing a public utility” after the defendant refused a plea bargain of a two-year suspended sentence if he pleaded guilty.

The researcher’s defense team from the Hungarian Civil Liberties Union (HCLU) say the unnamed man discovered a serious vulnerability in the Magyar system, which could have given an attacker access to data pertaining to the telco and its clients.

This is ethical hacking and brings benefit – rather than harm – to society, the HCLU claims.

The HCLU went on to describe how the defendant, an unidentified young man in his early 20s, had initially found a different vulnerability in the Magyar system last April.

“He [the defendant] contacted the telecom, where they were actually grateful of him, they met him in person, they offered him a job, then he went home,” the HCLU’s Adam Rembort told The Daily Swig in a phone call earlier today.

“A couple of days later he went back onto the system to see if the fault had been repaired but nothing had been done. He continued to check for further flaws, as he was in the middle of a [job] negotiation, and he kept finding problems in the [telecom’s] information system.”

Magyar detected an unknown attacker on its systems and reported it to authorities – leading to the arrest.

“It’s kind of a misunderstanding,” Rembort said. “The telecom was probably following the wrong protocol, as they have an external security protocol to approach the police when anyone breaches their system.”

Rembort also claimed that the indictment, which has not been made public, was missing a significant amount of technical details.

The defendant is being charged under section 423 of Hungary’s Criminal Code for unauthorized entry to an information system.

“Even if someone is hacking ethically and, in this case, without a contract, it will be considered a criminal offence by the authorities,” Rembort said.

“During the criminal procedure the defendant must convince the authorities that his or her acts weren’t harmful to society.”

The trial is ongoing, with a verdict expected sometime in the summer.

The Daily Swig has reached out to the Prosecution Service of Hungary for comment.