Computer Crime and Security
🔐 Scenario 1: The Curious Developer
Scenario:
Alex is a junior software developer at a cybersecurity company. One evening, while testing
an internal tool, Alex discovers that a misconfigured admin panel gives full access to client
systems — including passwords, configurations, and even billing information. Curious, Alex
starts exploring the data, just to “see how it works.” They don’t change anything or download
files, but they do open several client accounts out of curiosity. The next day, Alex casually
mentions this at lunch with a coworker, who immediately informs their manager.
Question:
Did Alex commit a computer crime? Was this an ethical violation, a legal one, or both? What
should happen next?
Answer:
Yes, Alex committed a serious ethical and legal violation — even if they didn’t “steal” or
misuse the data.
Legal side: Accessing data you are not authorized to view — even if you don’t copy
or change it — can be a violation of laws like the Computer Fraud and Abuse Act
(CFAA) or similar regional cybercrime laws.
Ethical side: As a developer in cybersecurity, Alex has a heightened duty to protect,
not explore client systems without permission. Their actions show a lack of integrity
and respect for privacy.
What should happen:
o The company should conduct a formal internal investigation.
o Alex should receive appropriate disciplinary action, which may include
termination depending on policy and intent.
o The company should also review access control policies and log monitoring,
since the system design allowed this in the first place.
o If this incident is reportable under data protection laws (e.g., GDPR), the
affected clients may need to be informed.
🧠 Scenario 2: The Gray-Hat Security Consultant
Scenario:
Priya is a freelance penetration tester who enjoys poking around in public websites. One
night, she finds a vulnerability in a major e-commerce platform that allows her to access user
emails by modifying the API requests. Excited by the find, she reports the issue to the
company’s public email, which has no bug bounty program or security disclosure policy. She
doesn’t get a response for weeks, so she posts the exploit — including a screenshot of sample
data (blurred) — on a cybersecurity blog to raise awareness.
�Question:
Was Priya’s action ethical? Could it be considered a crime? Should companies have a better
way to handle these situations?
Answer:
This case dives into gray-hat hacking — well-intentioned but legally murky.
Ethics: Priya had good intentions (responsible disclosure), but by publicly posting the
exploit — even partially blurred — she risked real harm to users and the company.
Legal: Depending on jurisdiction, Priya could be charged under unauthorized access
laws. Even without malicious intent, exploiting a vulnerability without permission is
often illegal.
Best practice:
o Priya should have stopped after reporting the issue.
o Publishing vulnerabilities is only ethical if done after disclosure, patching,
and permission.
Systemic issue: The company should have a disclosure policy or bug bounty
program. Transparency and structured channels help ethical hackers report safely.
💻 Scenario 3: The Insider Threat
Scenario:
Jared, a system admin at a cloud storage firm, was passed over for a promotion. Frustrated, he
writes a script to gradually delete non-critical logs and backup metadata over several months
to make it look like a system error. He doesn’t touch user files, but the result is a loss of
traceability. No one suspects him. However, when the company is later audited for
compliance, the missing data leads to fines and investigation. A digital forensics team
eventually traces the malicious script back to Jared.
Question:
What kind of cybercrime did Jared commit? What should be done to prevent such insider
attacks?
Answer:
Jared committed multiple cybercrimes and a serious breach of trust.
Crimes involved:
o Unauthorized modification of data.
o Obstruction of audits/compliance processes.
o Potential violations under laws like the CFAA or national security/cybercrime
acts.
Motivation doesn’t justify the action: Being passed over doesn’t give license to
sabotage systems. This is a textbook insider threat.
Prevention:
o Implement role-based access control (limit what admins can do alone).
o Use log tamper detection and alerts.
o Regular code and script reviews.
o Encourage a healthy work culture to reduce motivations for revenge.
�🧾 Scenario 4: The Data Leak Cover-up
Scenario:
A marketing startup experiences a data breach due to an exposed database. The breach affects
over 50,000 users. The CTO learns about it, fixes the issue silently, and decides not to report
it — hoping no one will notice. However, a journalist discovers the breach weeks later and
publishes an exposé. The company then scrambles to respond.
Question:
Was the CTO's decision ethical? What laws might have been broken? What are the long-term
risks of such a cover-up?
Answer:
The CTO’s actions were highly unethical and likely illegal.
Ethical lapse: Transparency and accountability are core ethics in security. Users trust
the company with their data.
Legal consequences:
o Violations of data protection laws (e.g., GDPR, CCPA) which require timely
breach notification.
o Fines and potential lawsuits.
Long-term risks:
o Loss of user trust and reputation.
o Potential criminal liability for knowingly hiding breaches.
o Employees may resign or blow the whistle.
Correct action:
o Immediately notify users and regulators.
o Offer credit monitoring if sensitive data was leaked.
o Conduct a thorough breach investigation and share learnings transparently.
Scenario 1: The Phishing Campaign That Worked
Scenario:
Rita is the head of HR at a medium-sized fintech company. One day, she receives what appears to be
an email from the company’s CEO asking her to urgently send over the W-2 tax forms of all
employees for an "investor audit." The email has the CEO's name, company logo, and even includes
his digital signature.
Pressed for time, and trusting the source, Rita compiles the data and emails the information — only
to realize hours later that the CEO never sent the message. An external attacker had spoofed the
email and stolen sensitive personal data of over 300 employees, including Social Security numbers.
Question:
What type of computer crime occurred here? How does phishing like this work? What could have
been done to prevent this breach?
�Answer:
Type of Computer Crime: Spear phishing, a highly targeted form of social engineering.
How it works:
o The attacker used email spoofing and psychological manipulation to impersonate a
trusted figure.
o The request was framed as urgent and authoritative — common in successful
phishing attacks.
Consequences:
o Identity theft risk for employees.
o Regulatory issues (violation of data protection laws like GDPR or CCPA).
o Loss of company trust and possible legal liabilities.
Prevention:
o Employee training on phishing and verifying suspicious requests.
o Implementing email authentication protocols like SPF, DKIM, and DMARC.
o Using two-person verification for sensitive data requests.
o Multi-layered cybersecurity awareness programs and anti-phishing tools.
🌐 Scenario 2: The DDoS Attack on Launch Day
Scenario:
A gaming company launches a highly anticipated online multiplayer game. Within an hour of going
live, their servers crash. Users flood social media with complaints. The dev team scrambles and
discovers the crash wasn’t from user overload — but a massive DDoS attack generating over 1
million fake connection requests per second, coming from a botnet of infected IoT devices. The
company had no cloud-based traffic mitigation or CDN protection in place.
The attacker later demands $100,000 in cryptocurrency to stop the attack.
Question:
What type of crime is this? How do DDoS attacks work, and how should companies respond to them
both technically and legally?
Answer:
Type of Computer Crime: Distributed Denial of Service (DDoS) with an element of cyber
extortion.
How it works:
o Attackers use botnets (often infected devices like webcams, routers, or smart
fridges) to flood a server with traffic.
o The flood makes the service unusable to real users — a type of availability attack.
Impacts:
o Loss of revenue.
o Damage to reputation.
� o Increased customer churn.
Technical Response:
o Use Content Delivery Networks (CDNs) and cloud-based DDoS mitigation tools.
o Employ rate limiting, firewalls, and anomaly detection systems.
o Partner with ISPs for upstream filtering during large-scale attacks.
Legal and Strategic Response:
o Do not pay the ransom — it encourages future attacks and is often illegal under
anti-terror financing laws.
o Report to cybercrime authorities (e.g., FBI, national cybercrime units).
o Document everything for forensic analysis and incident response planning.
🎭 Scenario 3: The Deepfake CEO
Scenario:
In a surreal turn of events, a CFO receives a video call from what looks and sounds exactly like the
company’s CEO, instructing her to transfer $5 million to a new international vendor account
“immediately, for a confidential acquisition.” The CEO mentions things only an insider would know
and insists it’s time-sensitive.
Hours later, after the money is wired, the CFO learns that the real CEO was on a flight during the call.
A deepfake video and voice clone had been used to impersonate the CEO using data scraped from
company webinars and social media. The attackers vanished with the money.
Question:
What kind of cybercrime does this involve? How do deepfakes pose new risks to businesses, and
what safeguards can prevent such attacks?
Answer:
Type of Computer Crime: Business Email Compromise (BEC) evolved with deepfake
technology — a form of synthetic identity fraud.
How it works:
o AI was used to generate realistic video and audio impersonation.
o The social engineering was powered by internal company knowledge, possibly from
leaked or scraped data.
Why it’s dangerous:
o Deepfakes make it harder to verify identity.
o Attackers can manipulate trust even in real-time conversations.
Preventive Measures:
o Implement voice/video authentication measures — e.g., code words or two-factor
approvals.
o Train executives and finance teams on AI-enhanced fraud.
o Use secure communication channels (not just video calls or casual apps).
o Monitor for leaked data online that could be used in impersonation attacks.
Legal Note: Laws on deepfakes are still evolving. However, this would be treated as fraud,
impersonation, and theft under most criminal codes.
�🕸️Scenario 4: The Teen and the Dark Web Marketplace
Scenario:
16-year-old Jake is a tech-savvy teen who gets curious about the “dark web” after watching a
documentary. Using Tor and a hidden forum, he finds a site where people are trading stolen Netflix
credentials, gaming accounts, and even forged IDs. For fun and some quick cash, Jake starts selling
cracked Spotify accounts he scraped from public leaks — until one day law enforcement arrives at
his house.
Question:
What crimes did Jake commit? What is the dark web, and why is it so closely linked to cybercrime?
How should society respond to youth involvement in such activities?
Answer:
Type of Crime:
o Unauthorized access, account trafficking, and identity-related crime.
o Possibly juvenile cybercrime, depending on local law.
What is the Dark Web?:
o The dark web is a portion of the internet accessible via special software like Tor, and
it hosts hidden services.
o While not illegal itself, it often hosts marketplaces for illegal goods — from drugs
and weapons to malware and stolen data.
Why it attracts cybercrime:
o Anonymity.
o Cryptocurrency-based payments.
o Decentralized hosting.
Response:
o Legally: Jake may face juvenile cybercrime charges, but rehabilitation over
punishment is often preferred.
o Educationally: This is a failure of digital ethics education.
o Preventive efforts should include:
Cybersecurity awareness in schools.
Mentorship programs for tech-enthusiastic youth.
Ethical hacking clubs and competitions (e.g., Capture the Flag events).
