GCHQ intern who stole ‘top secret' data risked lives of 17 agents

Yahoo

a day ago

A GCHQ intern endangered national security, risked exposing 17 colleagues, and 'threw away' thousands of hours of work when he took top secret data home, a court has heard.
Hasaan Arshad, 25, a Manchester University computer science student, was in 'flagrant breach' of security rules when he used his mobile phone to remove material from a computer system and transfer it to his private computer on Aug 24 2022.
Arshad, from Rochdale, Greater Manchester, pleaded guilty to an offence under the Computer Misuse Act, which carries a maximum penalty of life in prison.
He also admitted two charges of making an indecent photograph of a child in relation to 40 category A images and four category B images found on his phone following his arrest.
The court was told that part of the hearing – including a detailed assessment of the harm caused – would be outlined behind closed doors.
Arshad was jailed for seven-and-a-half years at the Old Bailey on Friday.
Sentencing, Mrs Justice Maura McGowan told him that the 'risk created by this conduct was at the highest level'.
'The risk was obvious', she added, 'and the actual damage that might have followed is incalculable.'
The court was told that Arshad's actions 'lost a tool' being developed at GCHQ, risked exposing the identities of 17 GCHQ colleagues, and undermined the trust of partners.
Prosecutor Duncan Atkinson KC said: 'His actions created a significant risk of damage to national security for reasons that can only be fully explained in a private hearing.
'In short, however, his actions compromised the security and utility of the material and the role it played in the national interest, and he also in the process put the safety of intelligence agency personnel at risk.'
GCHQ is the UK's intelligence, security and cyber agency. The highest levels of security are needed for GCHQ to carry out its work to gain information about threats to the UK from 'hostile states or terrorists' by using lawful covert tools and techniques, the court was told.
Mr Atkinson said: 'Put bluntly, if hostile states or terrorists were aware of how GCHQ was able to gather intelligence about their plans, they would be able to prevent the intelligence community in the UK from learning of those plans at a stage and to an extent that allows the intelligence community to thwart them.'
At the time of the offence, Arshad was coming to the end of an industry year placement with a technical development team that required him to work at a secure GCHQ site near Cheltenham, Gloucestershire, and use computer systems.
The court heard he was part of a team that worked on the development of 'tools and techniques' to obtain information about threats to the UK.
Arshad had undergone GCHQ induction and was required to sign the Official Secrets Act.
It was made 'abundantly clear' to Arshad that his access to top secret material had to be in controlled circumstances at 'an extremely secure location', Mr Atkinson said.
He went on: 'In flagrant breach of those obvious and necessary restrictions, the defendant used a mobile handset provided for his use whilst on his work placement but with strictly confined scope as to its permitted use, to remove top secret material from the top secret network of the technical development team to which he had been attached.
'He then transported that material from the secure location where he had been working to his home, risking it falling into the wrong hands or being lost, and downloaded it onto a removable hard drive which formed part of IT system that he used at his home address.
'This home computer system wholly failed to match the necessarily exacting security requirements of GCHQ's systems, and therefore exposed this top secret material to the vagaries and risks of an unsecure computer system connected to the internet at an insecure location.
'This significant security breach compromised lawful intelligence-related activity that was being undertaken in the national interest. In doing so, he threw away many thousands of hours of work, and significant sums of taxpayers' money.'
Mr Atkinson said Arshad's actions had damaged 'confidence in UK security' because the data included the identities of a 'significant number' of GCHQ colleagues and put others' safety at 'direct risk'.
Following his arrest, the defendant admitted removing data without authorisation 'out of curiosity'.
He said in a statement that he had no intention to hand over the data to anyone else.
He told police: 'I would like to apologise for my actions. I removed the data simply out of curiosity.
'I'm sorry for my actions and I understand the stupidity of what I have done.'
Arshad said he 'went out of my way' to ensure the data was stored locally and not in the cloud.
Asked if he had breached the level of trust and confidence by removing the sensitive data without authority, he replied: 'No comment.'
Mitigating, Arshad's lawyer Nina Grahame KC said the defendant had been 'reckless', 'thoughtless and naive'.
His internship had involved working on a 'specific project', which he had been unable to complete before the end of the placement, she added.
He took the data home because he wanted to 'continue and complete the most exciting and challenging work the defendant had ever undertaken' in the hope of gaining future employment at GCHQ, Ms Grahame said.
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.