The High Criminal Court of Bahrain has sentenced a student to three months in prison and a BD1,000 fine for hacking a university’s electronic systems. The court, however, ordered the prison sentence to be substituted with mandatory attendance in rehabilitation and training programmes.
In its ruling, the court said it took a “compassionate view” of the circumstances of the case. It considered the issued punishment appropriate for the defendant’s actions. “The court aims to benefit from the defendant’s skills and experience by keeping hope for his reintegration into society.
Mandating rehabilitation programmes is expected to contribute to reforming his behaviour and allowing him to gain knowledge, instead of limiting his freedom under the conviction,” the court stated in its ruling.
This substitution aligns with Article 18 of Law 18 of 2017, which allows alternative penalties to imprisonment. Defence lawyer Salman Aldousari argued earlier that his client should be “utilised as a prodigy”, noting that the cybersecurity student hacked systems out of curiosity to test his technical abilities.
However, he neglected that the action nearly implicated a second-year female student in legal trouble and expulsion, as occurred in the defendant’s case for installing malicious programmes on a university computer.
Aldousari said the university benefited from learning about system vulnerabilities from the National Cybersecurity Centre’s report. While inexcusable, the court could consider the defendant’s scientific talents, the lawyer added.
“There was also no internal policy forbidding cybersecurity students’ actions. Therefore, I plead with the court to acquit him or use leniency if convicted,” he stressed.
The student was arrested after the National Cyber Security Centre received a report from a senior network specialist at the university indicating that the university’s security software had successfully prevented an attempt to download malicious software onto one of the computers in the information technology lab.
Based on the report, it was revealed that the programme the accused student attempted to download was designed to crack secret codes stored in computer systems and bypass its security programmes.
Further investigation traced the attempted download to the personal data of a student in one of the departments unrelated to the computer science department. The student denied involvement, stating that she was not knowledgeable about using such technologies.
Through the investigation, it was discovered that the accused student, who was studying cybersecurity, obtained her personal login credentials through the university’s systems and computers. He was subsequently apprehended.