A London court has sentenced two men to imprisonment after one hacked into both Microsoft and Nintendo's internal servers and shared that access over IRC channels, and the other used the shared access to obtain confidential product information.
24-year-old security researcher Zammis Clark first gained access to a Mirosoft server using an internal username and password in January of 2017, The Verge reports. Over the next three weeks, Clark used web shells to remotely access, search, and upload and download files from the network, in total stealing around 43,000 files. He also shared that server access with others over IRC channels, enabling numerous others worldwide to also obtain confidential company information. He was eventually caught in June of that year.
One of the people who gained access to the servers via Clark's sharing was Thomas Hounsell, who appeared with him in the London court. Hounsell was also caught in June after performing copious searches for product information on Microsoft's servers across a 17-day period.
After being arrested, Clark was eventually released on bail. But while awaiting trial, he hacked into Nintendo's network via VPNs and stole numerous usernames and passwords.
In total, Nintendo estimates between $900,000 to $2 million in damages. Microsoft estimates $2 million.
This is not the first time Clark has been involved in security issues similar to this. Clark was involved in the data breach of Hong Kong electronics manufacturer Vtech in 2015, and has worked at Malwarebytes and in other security research roles for years, uncovering security flaws in various software and apps. Though he admitted to his participation in the breach, he was not prosecuted.
Clark has been sentenced to 15 months imprisonment, suspended for 18 months. Hounsell has been sentenced to six months imprisonment, also suspended for 18 months, plus 100 hours of community service.
"Today's action by the Courts in the UK represents an important step," said CVP of customer security and trust at Microsoft regarding the trial. "Stronger internet security not only requires strong technical capability but the willingness to acknowledge issues publicly and refer them to law enforcement. No company is immune from cybercrime. No customer data was accessed, and we're confident in the integrity of our software and systems. We have comprehensive measures in place to prevent, detect, and respond to attacks."
Nintendo also issued a statement: "Nintendo is committed to protecting its intellectual property and consistently evaluates and updates its data protection and security protocols accordingly. However, despite our ongoing efforts, we discovered that our corporate servers were illegally accessed last year. Though no consumer data was accessed as part of this incident, we continue to hold the protection of both our consumers' data and our intellectual property as a top priority in our data management operations."
Update 01/04/2019: Malwarebytes has reached out to GamesIndustry.biz to emphasise that Clark was not a member of its staff at the time of these incidents.
A spokesperson said, “The alleged behavior happened before the individual was hired as a Malwarebytes employee. When we learned about the allegations, we terminated his employment. Malwarebytes does not condone this type of behavior.”