Hasaan Arshad, 25, was found to be in ‘flagrant breach’ of tight security rules when he used his mobile phone to remove material from a computer system during his GCHQ internship
A GCHQ intern has been jailed for seven and a half years after he took top secret data home which endangered national security, risked exposing 17 colleagues and “threw away” thousands of hours of work.
Manchester University computer science student Hasaan Arshad, 25, was in “flagrant breach” of tight security rules when he used his mobile phone to remove material from a computer system and transfer it to his private computer on August 24, 2022. The defendant, who has an autism spectrum disorder, was said to be an academically gifted “perfectionist” who was motivated by a desire to complete the project he had been tasked with at GCHQ as his placement was coming to an end.
But sentencing him on Friday, Mrs Justice McGowan said his was “intellectual arrogance” and he acted under the belief that the “rules do not apply to him.” Arshad, from Rochdale, Greater Manchester, pleaded guilty to an offence under the Computer Misuse Act which carries a maximum penalty of life in prison.
READ MORE: Cyber security boss warns UK needs to wake up to risks posed by Russia and China
The defendant also admitted two charges of making an indecent photograph of a child in relation to 40 category A videos and four category B videos downloaded from the dark web and found on his personal phone following his arrest. Sentencing, Mrs Justice McGowan jailed Arshad for six years for the data breach and a further year and a half for the sexual offences.
She said: “The risk raised by this conduct was at the highest level. I accept there is no evidence of any intention to sell, disclose or ransom the material.” However, the risk was “obvious” and the damage “incalculable”, she said.
Part of the hearing – including a detailed assessment of the harm caused – was held behind closed doors in the absence of the press and public. However, the court was told that Arshad’s actions “lost a tool” being developed at GCHQ, risked exposing the identities of 17 GCHQ colleagues, and undermined the trust of partners.
Opening the facts in open court, prosecutor Duncan Atkinson KC said the data breach also “created a significant risk of damage to national security.” The Government Communications Headquarters – known as GCHQ – is the UK’s intelligence, security and cyber agency and plays an important role in keeping the country safe, in conjunction with MI5 and the Secret Intelligence Service (MI6).
The highest levels of security are needed for GCHQ to carry out its work to gain information about threats to the UK from “hostile states or terrorists” by using lawful covert tools and techniques, the court was told. Mr Atkinson said: “Put bluntly, if hostile states or terrorists were aware of how GCHQ was able to gather intelligence about their plans, they would be able to prevent the intelligence community in the UK from learning of those plans at a stage and to an extent that allows the intelligence community to thwart them.”
At the time of the offence, Arshad was coming to the end of an industry year placement with a technical development team which required him to work at a secure GCHQ site near Cheltenham, Gloucestershire, and use computer systems. The court heard he was part of a team that worked on the development of “tools and techniques” to obtain information about threats to the UK.
Arshad had undergone GCHQ induction and was required to sign the Official Secrets Act. It was made “abundantly clear” to Arshad that his access to top secret material had to be in controlled circumstances at “an extremely secure location”, Mr Atkinson said.
He went on: “In flagrant breach of those obvious and necessary restrictions, the defendant used a mobile handset provided for his use whilst on his work placement but with strictly confined scope as to its permitted use, to remove top secret material from the top secret network of the technical development team to which he had been attached.
“He then transported that material from the secure location where he had been working to his home, risking it falling into the wrong hands or being lost, and downloaded it onto a removable hard drive which formed part of the IT system that he used at his home address.
“This significant security breach compromised lawful intelligence-related activity that was being undertaken in the national interest. In doing so, he threw away many thousands of hours of work, and significant sums of taxpayers’ money.”
Mr Atkinson said his actions had damaged “confidence in UK security” because the data included the identities of a “significant number” of GCHQ colleagues and put others’ safety at “direct risk”. Following his arrest, the defendant, who went on to achieve a first class honours degree, admitted removing data without authorisation “out of curiosity” saying he had no intention to share it.
He told police: “I’m sorry for my actions and I understand the stupidity of what I have done.” Arshad said he “went out of my way” to ensure the data was stored locally and not in the cloud.
Mitigating, Nina Grahame KC said the defendant had been “reckless, thoughtless and naive” and put his “possessive” desire to complete his project above all else. He took the data home because he wanted to “continue and complete the most exciting and challenging work the defendant had ever undertaken” in the hope of gaining future employment at GCHQ, Ms Grahame said.
The court was told Arshad was driven by ambition and perfectionism having achieved the second highest mark in the country for his computer science A level. His parents were “distraught and heartbroken” at what happened and “feared” for his wellbeing in prison, Ms Grahame added.
Bethan David, head of the Crown Prosecution Service Counter Terrorism Division, said: “Hasaan Arshad knew his actions were prohibited after he signed the Official Secrets Act and received his induction training. His conduct was deliberate and intentional, and represented a flagrant breach of the obvious and necessary rules in place. The Crown Prosecution Service will always seek to prosecute anyone that knowingly jeopardises and endangers the safety of our country.”
