The experiences of a chief executive at one small business highlight the problems organisations face in reporting and dealing with e-crime.
Felicity Smith has first-hand experience of the frustrations of dealing with police officers who do not understand e-crime, a growing problem that cost UK businesses £2.4bn in 2004 (Computing, 25 January).
When her company went into administration, a bookkeeper was appointed to help get the business back on its feet.
The bookkeeper introduced a computer system to handle accounts. Smith had little knowledge of IT systems, and was unaware that when the system was up and running the bookkeeper was backing up all the accounts to his home computer.
Smith had previously used physical copies and disks to back up accounts information. After a few months she became suspicious of her bookkeeper’s activities and tried to access the accounts herself.
‘I wanted to get into the accounts just to see how things looked and I found that he had changed the password,’ she said. ‘Reluctantly he told me what he had changed it to.’
A month or so later, the bookkeeper resigned.
‘When he left I could not get into the accounts,’ said Smith. ‘I immediately thought I needed a solicitor, so I contacted one, as well as the makers of the program, who said they could provide me with a new password.’
Two days later she had a password, only to be told by the computer that ‘this program has been moved or removed’. She also discovered that payroll information had disappeared from the system.
‘This was when I went to the police,’ said Smith. ‘I also found out that the disks we had been using to back up on after September 2004 had all disappeared, too. Shortly afterwards I received a letter from the bookkeeper saying that if I wrote him a letter of recommendation he would return our information.’
Smith went to be interviewed at her local police station by a member of Thames Valley Police. She identified three potential crimes, theft of the disks under the Theft Act, illegally accessing information under the Computers Misuse Act, and theft of employee details under the Data Protection Act.
‘The PC who interviewed me said he wasn’t aware of the Computer Misuse Act or the Data Protection Act. I had to specifically ask later for this to be passed on to a high-tech crime unit or somebody who knew more about the situation,’ said Smith.
She was told that the police would not be pursuing the case.
A recent Computing investigation has found that most local police forces have fewer than five people with high-tech crime expertise. ‘Trying to convince management that you need training is very difficult because they are not technically minded,’ said one police officer we spoke to.
Typically forces have only one or two network investigators with the skills needed to investigate a case such as Mrs Smith’s, and many reported backlogs of work. Thames Valley Police has one of the larger high-tech crime units with 10 dedicated people.
Many businesses have voiced concerns that they do not know who to report crimes to.
IT expert Alan Cox, giving evidence to a recent House of Lords Science and Technology Committee, said: ‘If you walk up to the desk sergeant at a typical police station he does not understand the problem. We need an understanding of e-crime in police stations.’
Mrs Smith contacted her local MP, who contacted the police. Eventually they replied to him saying: ‘It was clear right from the start that this case needed an expert eye and as such all the case papers were sent to our specialist … in the economic crime unit. Their advice was that this was not a case that would be prosecuted by the CPS, and revolves around matters that are civil in nature.’
But John Halton, technology lawyer with law firm Cripps Harries Hall, says it appears a crime has been committed.
‘On the face of it, there could be an offence under the Data Protection Act for unlawful obtaining of personal data,’ he said.
‘Under the Computer Misuse Act, if they have gone beyond their authorisation that can be a criminal offence. I have no idea whatsoever why they would not prosecute it.’
Mrs Smith has never regained the company information, and has spent more than £8,000 pursuing the case.
Some names have been changed in this article.
How to report e-crime
z Go to your local police station first. If there is a real-life aspect to the case, such as physical theft, as well as an electronic aspect, make sure you highlight it.
z Ask for your case to be referred to an inspector in the high-tech crime unit, preferably one with network investigation skills.
z If the crime involves any kind of fraud, report it to
www.met.police.uk/fruadalert as well, to help police get an idea of the extent of e-crime.
z If local police fail to address the problem and you think you have a good case, write to your local MP.
z Always report theft of data. If the police do investigate your case they are likely to do so in a sensible and non-intrusive way.
Further Reading:
E-crime efforts stall over staff
Have you had a similar experience? Email us at: feedback@computing.co.uk
reader comments