A 44-year-old computer scientist has just been sentenced by the 12e correctional chamber of the Paris court to a suspended sentence of eight months’ imprisonment and a fine of 5,000 euros, ZDNet.fr noted Monday, March 13. This former freelance worker for OVHcloud was prosecuted for three offenses of computer hacking, fraudulent access to an automated data processing system, fraudulent extraction and fraudulent maintenance.
The 40-year-old from Ile-de-France was hired in November 2022 via a digital services company by the European leader in cloud computing. The freelance administrator, with twenty years of experience in the sector, had to manage requests for assistance.
Investigation entrusted to the DGSI
But quickly, his mission is cut short. “I was not very involved, I was a little fed up with computers and I made careless mistakes,” explained this tall bearded guy with glasses at the bar. After getting tangled up in password management – “a sloppy job”, he agrees – the company is ending its mission at the beginning of February 2023 after another blunder, a failed encryption of words password that opens a hole in computer security.
The sequence of events will worry his former client even more. While the mission of the former administrator is over, OVHcloud indeed notices in the hours that follow the downloading of a large number of internal projects. In all, approximately 250 sensitive projects – for example a data center access control diagram or a file relating to badge readers – were exfiltrated in three stages. The famous northern host then alerts the DGSI and files a complaint.
Intellectual curiosity or malevolence?
“It was stupid on my part, besides I didn’t hide,” explained the computer scientist. “I wanted to take some data for my personal knowledge and train myself during the break that would follow the end of my mission. His lawyer, Me Christophe Bettati adds: “He acted out of curiosity by looking at how OVHcloud used open source technologies”, a learning method via concrete cases that is faster than reading official documentation.
“The complexity of this file is knowing whether it was intellectual curiosity or malice,” underlines the deputy prosecutor, Sophie Gschwind. The magistrate’s requisitions – a fine of 10,000 euros and a probationary suspension of 18 months – suggest that she leans for the second. While no leakage or sale of data relating to the downloaded files has been observed, the prosecution is also not certain that the data, which could have a certain value on the black markets, was not transmitted to a third.
A hypothesis that “is part of the scenario”, retorts Christophe Bettati. “The scope of this file should not be exaggerated,” he adds. “If my client had been told that it was a matter for the criminal court, he would have immediately stopped. “And to note the absence at the trial of OVHcloud. The company had estimated during the procedure its potential loss at 75,000 euros per day in the event of a leak of stolen data. On Monday, however, she was not represented at the hearing to present her real damage.