Cyberlaw (Trimester 2410)
Tutorial 3/ Week 4
Question 1
On 3 March 2020, Alex launched a Denial of Service (“DOS”) attack on the
Multimedia University website. One of the system administrators at the
website discovered that there were a large number of requests from a
particular Internet Provider (IP) address.
The overwhelming requests from this IP address caused the site to be
unresponsive. The administrator blocked the address, and normal service
resumed. However, after the block was put in place, the attack migrated
to other sites. On 23 March 2020, Alex sent to the University an e-mail
signed SL1NK which said: "You Just Don’t Learn!”. On 3 December 2020 he
sent it a further e-mail which read: “I have warned you once and I am
going to do it again that I have access to your SQL users and password
database, they are encrypted as you obviously know but it won’t take long
and by the time you have read this message I will have sold the two
databases and what is needed to have been done will have been done.”
On 10 December 2020 Alex made an anonymous telephone call to Mr.
David from Multimedia University. He told Mr. David that all of his personal
and financial information was available on the Internet as a result of a
Trojan which had been placed on his computer. Mr. David immediately
tried to log on to his bank account with his original password. It did not
work. Mr. David had to cancel his bank cards and order replacements.
Later, Mr. David also noticed that some illegal transactions has been done
without his permission. He lodged a complaint with the police. On 2nd
January 2021, Alex launched a further DOS attack on the MMU website
between 0221 hours and 1540 hours. He used a program called
CyberGhost. This disrupted the University’s business and may have
resulted in damage to its reputation. It was detected as the requests
forming the attack contained the same data string contained in the
previous attack.
On 4 January 2021 police executed a warrant and searched Alex’s home.
He was arrested and told that his computers would be seized. Alex said
the files were all encrypted and refused to provide passwords. You have
been appointed as his lawyer.
You are required to classify the offences Alex has committed and to advise
him of the penalties stated in the law.
(Total: 25 marks)
Trimester 2021/2022
��Issue 1: Whether Alex is liable for unauthorized access under S3 of the
CCA 1997
Law:
Under Section 3(1) of the CCA 1997, a person is guilty of an offence if:
(a) He causes a computer to perform any function with the intent to
secure access to any program or data;
(b) The access is unauthorized; and
(c) He knows that the access is unauthorized.
Application:
Alex launched two DOS (Denial of Service) attacks on the MMU website (3
March 2020 and 2 January 2021), causing the website to become
unresponsive due to excessive requests. This demonstrates that, he
caused the university’s computer systems to perform functions, the intent
was to disrupt and penetrate its functionality, the access was
unauthorized and repeated, which implies knowledge and clear intent.
Moreover, on 3 December 2020, Alex sent an email threatening that he
had access to the university's SQL user and password databases. His
statement that the data would be sold confirms unauthorized access to
sensitive information.
This clearly fulfills the actus reus and mens rea requirements under
Section 3(1) and Section 2(5) CCA 1997. / The intent and knowledge
elements are satisfied based on his threats and recurring offences.
Penalty (Section3(3)):
Fine not exceeding RM50,000, or imprisonment not exceeding 5
years, or both.
Conclusion:
Alex is liable for unauthorized access under Section 3(1) of the CCA 1997.
Issue 2: Whether Alex is liable for unauthorized modification under S5 of
CCA 1997
Law:
Section 5(1) of the CCA 1997 states that a person is guilty of an offence
if he does any act which he knows will cause unauthorized modification of
the contents of any computer.
�Under Section 2(7)(a–c), modification includes: Altering data, Introducing programs (like
malware), or Impairing the normal operation of any computer.
Alex’s use of a Trojan horse to compromise Mr. David’s personal
computer resulted in disabling his banking login, leaking financial data,
and causing illegal transactions.
Furthermore, the DOS attacks used tools like CyberGhost, which
disrupted the university’s systems for extended hours. Both instances
involve interference and unauthorized modification to the contents and
operations of computers.
His conduct meets the requirement of knowing intent, unauthorized acts,
and actual modification (i.e., impairing the university’s server and Mr.
David’s banking access).
CaseReference:
Public Prosecutor v Vishnu Devarajan [2016] and Kangaie Agilan v PP
[2017]
OR
Section 2(8) says it is unauthorized if done without consent from a person
entitled to make such modifications.
Application:
The DOS attacks impaired the normal operation of MMU’s website. The
Trojan installed on Mr. David’s device altered system behavior and
compromised financial data. Alex admitted to accessing encrypted
databases with intent to sell them, implying either direct extraction or
modification. These acts were done without authorization and with full
knowledge, fulfilling both actus reus and mens rea.
Conclusion:
Alex is liable under Section 5(1) for unauthorized modification.
Penalty (Section 5(4)):
If done with intent to cause injury (as in Mr. David’s case): Fine not
exceeding RM150,000, or imprisonment not exceeding 10 years, or
both.
Issue 3: Whether Alex is liable for unauthorized access with intent to
commit fraud under S4 of CCA 1997
Law:
�Under Section 4(1) of the CCA 1997, a person commits an offence if the
unauthorized access under Section 3 is committed with intent:
(a) To commit an offence involving fraud or dishonesty; or
(b) To facilitate such an offence.
The Penal Code defines: Section 23: Wrongful gain, Section 24:
Dishonesty, and Section 25: Fraudulent intent.
Application:
Alex emailed MMU, threatening to sell sensitive encrypted data—clear
intent to defraud. Mr. David suffered financial loss due to unauthorized
banking transactions caused by a Trojan. This is injury to property. The
repeated DOS attacks damaged MMU’s reputation and disrupted
business, amounting to injury.
These show Alex's intent to cause wrongful loss and fraud, satisfying
Section 4(1)(a) and Section 23 of the Penal Code.
CaseReference:
LOO WEE WAN v Regina [1955] defines fraud as involving deceit causing
financial detriment—exactly as seen in Alex’s conduct.
Conclusion:
Alex is liable under Section 4(1)(a) for unauthorized access with intent
to commit fraud and cause injury.
Penalty(Section4(3)):
Fine not exceeding RM150,000, or imprisonment not exceeding 10
years, or both.
�Question 2
1. Refer to Tutorial 2/ Week 3 - Question 1.
2. Complete the question by looking into the other offences (other than
section 3, CCA 1997).
