Email evidence used in the conviction of URA hackers
The Computer Misuse Act, 2011 laws of Uganda has been successfully used to convict two of the four people alleged to hacked into Uganda Revenue Authority (URA), a government agency responsible for revenue collection.
On June 20, 2012 the Uganda Revenue Authority (URA) arrested four men suspected of hacking into its systems for a year and also causing government losses amounting to Ugx. 2 billion. It was revealed that Richard Kibalama, an IT specialist, Guster Nsubuga one of the associates of Cargo Supplies Limited, Farouk Mugere and Patrick Owora, both clearing agents with Shafa Clearing and Forwarding were picked from the compound of URA offices at Nakawa House in Kampala seated in a vehicle, Toyota Duet, UAQ 341R in possession of three laptops, and internet access modem.
According to the official statement from URA’s Sarah Banage, Assistant Commissioner Public and Corporate Affairs, “when we closed in on them, they hurriedly closed the computers. Luckily, when the lid of one of them was opened, it had the home page of the URA intranet,” an officer, who participated in the operation, stated on condition of anonymity.
The suspects had allegedly gained illegal access into URA’s Automated System for Customs Data (ASYCUDA), a computerized customs management system that handles international trade, including customs declarations for goods and services, transit information, tax assessments and payments. The hacker’s interest was reportedly in vehicle registration data, into which they had falsely fed details of over 200 vehicles. The four suspects were then been charged with six counts of (1) un-authorised use and interception of computer services (Section 15, Computer Misuse Act 2011), electronic fraud (Section 19 of CMA, 2011), and un-authorised access to data (Section 12 of CMA, 2011) before the Anti-Corruption Court.
On 3rd April 2013, two of the suspects, Gaster Nsubuga and Farouk Mugere, were sentenced to 12 years in jail and also ordered to pay fine of US $4,500 each. However, prosecution could not prove that the convicts occasioned the stated loss of Ugx. 2.4 billion (US $ 923m) to the tax body. The convicts are said to have installed a spyware which worked as a key logger, which provided the usernames and passwords from the target victim machines to hack into URA’s system.
The Anti-Corruption court, presided over by Justice Paul Mugamba, acquitted Mr. Richard Kibalama and Mr. Patrick Owora in connection with hacking into the system.
Critical to prosecution, was an email communication in which the two exchanged and planned how to hack into the system.
The use of emails as evidence in court is gaining prominence as most people have a false sense of privacy when communicating via email and short messaging services (SMS).
This is the first high level case in which the Computer Misuse Act, 2011 has been used to prosecute offenders.
By Mustapha B Mugisa, 2013. Forensic & Anti-fraud Expert.