Our client is a leading IT company specializing in software development and website solutions. It is a foreign company based outside the country. in the past, the company’s director has been accused in a criminal case in the United Arab Emirates. The accusation is related to one of our employees who illegally hacked and destroyed the data of a website.
The company had entered into a contract with a major institution in the UAE to create and develop a website that provides services to over 10,000 clients. However, due to a dispute between the accused company and a former employee, the employee launched a cyber-attack, exploiting a vulnerability known as SQL injection. This attack resulted in the destruction of the targeted institution’s database and the deletion of critical data, leading to a 15-day disruption of their website.
The public prosecution conducted an investigation with the developer company and heard testimonies from the victim’s witnesses (its information security staff). Subsequently, it decided to refer the case to the criminal court.
The accused company ” Client ” hired our law firm to defend them in court after six other law firms failed to comprehend the technical aspects of the case. After contracted, we submitted a defense memorandum and presented our case to the judges, emphasizing that the software development company did not commit any crime. We argued that the main cause of the breach was the targeted institution’s failure to provide adequate protection for the software.
Furthermore, the accused hacker’s knowledge of the source code would not allow him to exploit the vulnerability and the employee’s knowledge of the code did not aid in the hacking process. In addition, we explained that the SQL code was necessary to establish a connection between the Microsoft database and the developed software. Without it, the linking process would not have been possible. We also highlighted that this vulnerability has been known for over 15 years and can be protected through using widely available cyber security programs in the IT market.
As part of the legal proceedings, a specialized technical expert committee in the field of cybersecurity was appointed by the criminal court.
The cybersecurity experts committee concluded in its report which submitted to the criminal court that the software developer company was not responsible for the hacking incident. They stated that the primary reason for the hacking was the inadequate protection provided to the website by the victim’s cybersecurity staff, who only implemented a firewall to defend against attackers. This firewall is usually not enough to provide full protection and they should put another cyber security’s program such as WAF for cyber security to provide the full protection from the attackers.
Additionally, the experts stated that the victim company chose to launch the program on the web without addressing these vulnerabilities, ultimately resulting in the software and database being hacked.
Based on this technical report, the criminal court acquitted the accused company ” Our Client “and sentenced the former employee, who was absent during the trial, for their involvement in the incident.
No comment