Why sharing leaked data online is not harmless or legal

Ransomware attacks and data leaks have become common across the world. Criminal groups infiltrate computer systems, steal personal or institutional data, and demand payment in exchange for not publishing it. 

If the ransom is not paid, they often release the information in stages — first on illegal websites, then accomplices gradually move some of this information to public platforms. Unfortunately, in some cases, ordinary users thereafter share it without realizing the legal or ethical consequences.

Globally, several legal frameworks have been established to address cybercrime and protect individuals’ data privacy. One of the most significant is the Budapest Convention on Cybercrime, which promotes cooperation between countries to investigate and prosecute cyber offences. Another is the EU’s General Data Protection Regulation (GDPR), which not only requires institutions to protect personal data but also imposes consequences for the misuse or unauthorized dissemination of such information. 

Sri Lanka was South Asia’s first signatory to the Budapest Convention and has taken steps to incorporate its principles into domestic legislation. One such piece of legislation is the Computer Crimes Act No. 24 of 2007. This Act contains several important provisions relevant to the public:

- Section 3 makes unauthorized access to computer systems a criminal offence — applying to hackers or anyone who breaks into data storage systems.

- Section 6 prohibits the unlawful disclosure of information obtained through such access — including the initial publication of stolen content.

- Section 7 extends responsibility further by making it illegal to assist in the commission of these offences. This means that people who share or repost hacked content — even casually or without understanding the full context — may be seen as contributing to the crime.

It is important to note that these laws apply equally to individuals who, knowingly or unknowingly, help spread stolen data online, as these actions magnify the threat of the cybercriminals and further victimize those who have been targeted in these attacks.

The most effective way to protect yourself — and others — is to avoid interacting with leaked content altogether. Do not share, repost, or download content you suspect may have come from a data leak or hacking incident, and avoid commenting on or engaging with such posts, as increased engagement can help them spread.Even if an investigation is not launched immediately, digital traces remain — and individuals involved in the circulation of stolen material may be called upon to explain their actions months or even years later.

In the event you do come across content that you know or believe to be from a data leak or hacking incident, report the incident to the relevant platform and consider informing local authorities, such as the Sri Lanka Computer Emergency Readiness Team (CERT) or the Computer Crimes Division of the CID.

Cybersecurity is no longer just a technical issue for companies or IT departments to handle. It’s a social responsibility that extends to all of us. Whether it’s a leaked document, private photos, or internal records — what may seem like just another sensational post is often the result of a serious crime. Sharing it only deepens the harm.