What's the penalty for hacking?

Hacking can take place in different ways. Someone who accesses someone else's computer, account or network without permission is, in principle, guilty of computer peace (art. 138ab of the Criminal Code). This does not only apply to the complicated hacking of someone else's computer. For example, secretly logging into someone else's e-mail account or Instagram is also a punishable offence. In addition, there are various other criminal provisions, for example on the destruction of someone else's data, the committing of suffocation attacks - (D)DoS-attacks - and stolen computer data.

In a previous blog is set out when hacking is not an offence. This can - in short - be the case when someone adheres to the conditions set by the organisation concerned, does not go beyond what is strictly necessary and reports the vulnerability found directly to the organisation.

All other cases of hacking are in principle punishable. That was the explicit wish of the legislator. When a case about cybercrime comes before the court, the court must first determine whether the accused is guilty of, for example, breaking computer peace. If that is the case, an appropriate penalty must be determined.

Penalties for cybercrime

The maximum term of imprisonment for a breach of computer peace involving the copying of information is as follows four years or a fine of €20,750. If no data have been copied, the maximum penalty is two years.

Another example is having a trojan horse or a password to access someone else's computer or account. If the judge finds that someone was planning to hack into someone else's computer or account (illegally), the maximum prison sentence is two years (Article 139d(2)(a) and (b) Sr). For example, there are various maximum sentences for the various forms of cybercrime that are punishable.

But in practice, the maximum sentence is usually not imposed. The judge takes all kinds of circumstances into account in order to arrive at an appropriate punishment. For example, the seriousness of the offence plays a role (is there damage? How long and how often was it committed? Was it for profit, or was it more of a carelessly executed ethical hack?). The personal circumstances of the suspect are also important. Is this a first conviction? Does the suspect deny it, or does he express regret? What consequences would a certain punishment have for this suspect? Et cetera.

The Public Prosecution Service has a directive drawn up on the penalties that can be demanded. This is only a starting point for the assessment; under circumstances it can always be higher or lower. This Directive lists various offences and different circumstances which together result in a starting point on the penalty to be demanded. Some examples:

Within the relational sphere:

• someone remembers the password of an ex-partner and out of curiosity logs into a social media account of that ex: community service 20 - 80 hours;
• the same, but now this person is angry and sends a dirty message from an account of the ex: community service 120 hours.

For profit:

• Someone is preparing a hack to capture bitcoin, and has login details and malware to do so: imprisonment of two weeks;
• the use of crypto or ransomware: imprisonment of three months.

Transferring data:

• a student hacks the university's server in order to be able to see the answers to an exam: imprisonment of two months.

Cybercrime with ideological motive:

• a football supporter who hacks the website of a rival club and replaces it with messages about his own club (defacing): community service of 60 hours;
• the same supporter decides to temporarily take the website off the air by means of DDoS attack, whereby the damage remains limited: community service of 60 hours.

As I said, these are just guidelines for a penalty. In the end, the judge decides on the basis of all the circumstances. Via jurisprudence.nl are very different penalties depending on the seriousness and extent of the offences committed. For example, in a large-scale case involving phishing, various crimes can quickly be committed (fraud, computer breakdowns of peace, money laundering, etc.). Certainly when there are more victims, the punishment can quickly increase. In the past, for example, prison sentences have been imposed for 146 weeks, 30 months and three years. But even in a large phishing case, there can be a whole lot of phishing under certain circumstances. suspended sentence and community service. Punishment is tailor-made.

For a more specific assessment of the expected punishment, knowledge of the file and personal circumstances is required. If desired, you can contact us for this contact form.