Experts sound alarm over sharing hacked data as cyber-attacks rise in SL

• Forwarding or even downloading stolen information, regardless of intention, can amount to a criminal offense
• in Sri Lanka, offenses under the Computer Crimes Act can lead to significant fines and even imprisonment, depending on the severity and repercussions of the violation.

Sri Lanka’s cyber-security and legal communities this week warned the public against sharing hacked information, asserting that such acts are illegal and carry serious consequences under the country’s law. 

The alert comes in the wake of increased incidents in cyber-attacks in the recent months. Several institutions, including leading corporates and public sector entities have fallen victim for the same. These incidents have reignited concerns about the country’s digital security and the manner in which the public engages with leaked data. According to analysts, forwarding and downloading stolen information, no matter the intention, is treated as a criminal offense. 

“People often think that simply sharing what is already online is harmless. But that is not the case. Under Sri Lankan law, one can be held accountable even if they were not directly involved in the original breach,” a legal expert familiar with cyber-security regulations said, speaking on condition of anonymity. Sri Lanka’s Computer Crimes Act No. 24 of 2007 criminalises unauthorised access to computer systems. 

Beyond that, it also makes the possession, distribution, and communication of unlawfully obtained data a punishable offense. While the legislation dates back nearly two decades, experts note that it is still highly relevant in today’s digitally-driven environment, where information spreads at a rapid pace. 

“When a breach happens, the initial damage is bad enough. Making it worse is when people make more noise by sharing the stolen material. They do not realise they are making the harm bigger,” explained a cyber-security analyst.

The risks are particularly severe in cases of ransomware attacks. This is where cyber-criminals deliberately leak sensitive data to pressure organizations into paying hefty ransoms. 

In such instances, experts warn that even unintentional sharing of leaked material strengthens the attackers’ hand and increases the exposure of the victims. Meanwhile, globally too, the handling of hacked data is treated as a highly serious offense. 

Under the European Union’s General Data Protection Regulation (GDPR), mishandling personal data following a breach can attract significant financial penalties. In the United States (US), the Computer Fraud and Abuse Act (CFAA) not only criminalises unauthorised access, but it also penalises the distribution of unlawfully obtained information. 

The case is similar in the United Kingdom, Singapore, and India have legislations that impose penalties on both hackers and those who further disseminate stolen material. 

A common agreement across jurisdictions is that ignorance or intent offers little protection. Legal analysts caution that courts are increasingly holding individuals accountable for circulating confidential or sensitive information, regardless of whether they were fully aware of its origins. In Sri Lanka, offenses under the Computer Crimes Act can lead to significant fines and even imprisonment, depending on the severity and repercussions of the violation.