A 25-year-old computer science student, Hasaan Arshad, has been sentenced to seven-and-a-half years in prison for transferring classified intelligence files from a secure GCHQ network to his devices, creating a significant risk to UK national security.
The case highlights critical vulnerabilities in handling top-secret data and underscores legal consequences under the Computer Misuse Act 1990.
Technical Breach and Unauthorized Data Transfer
Arshad, during a 2021–2022 placement at GCHQ’s Cheltenham facility, exploited his access to a top-secret network—a Secure Isolated Network (SIN) designed for the UK’s most sensitive intelligence assets.
On August 24, 2022, he connected a GCHQ-issued mobile phone to his workstation and transferred classified files containing tools for threat intelligence gathering.
These files, stored on a Top Secret (TS) classification tier, included methodologies for infiltrating hostile state and terrorist communications.
The data was later found on an external hard drive at his Rochdale home during a Metropolitan Police Counter-Terrorism Command raid.
Forensic analysis revealed the files had been exposed to an unsecured home system, risking interception by adversarial entities.
Legal Repercussions Under Section 3ZA
According to the report, Arshad pleaded guilty to violating Section 3ZA of the Computer Misuse Act 1990, which criminalizes unauthorized acts causing or risking serious damage to national security.
This statute, amended in 2015, carries a maximum life sentence for breaches impacting critical national infrastructure or security.
Prosecutors emphasized Arshad’s reckless disregard for protocols, including his signed commitment to the Official Secrets Act during his GCHQ induction.
Bethan David of the CPS Counter Terrorism Division stated: “His actions undermined lawful intelligence operations and wasted taxpayer resources”.
Concurrently, Arshad received an 18-month sentence for possessing indecent images of children, unrelated to the breach.
Risk Factors in National Security Data Breaches
The case exemplifies systemic risks in handling classified information.
Below is a technical analysis of key vulnerabilities and mitigations:
| Risk Factor | Description | Impact | Mitigation |
|---|---|---|---|
| Unauthorized Data Transfer | Exfiltration of TS data to personal devices | High | Strict device controls, real-time monitoring |
| Insider Threat | Authorized personnel misusing access | High | Enhanced background checks, behavioral analytics |
| Non-Compliance with Protocols | Violating security policies (e.g., SIN usage) | Critical | Regular audits, automated compliance checks |
| Data Exposure on Unsecured Systems | Storing TS data on non-government hardware | Critical | Encryption, air-gapped networks |
Arshad’s sentencing reinforces the gravity of mishandling classified data, particularly within intelligence agencies.
While no direct evidence of foreign interception emerged, the breach exposed critical gaps in insider threat detection and secure data governance.
GCHQ has since intensified protocols for removable media and personnel monitoring.
This case serves as a stark reminder of the balance between operational agility and national security imperatives.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The case highlights critical vulnerabilities in handling top-secret data and underscores legal consequences under the Computer Misuse Act 1990.){kind=link}