A GCHQ intern who endangered national security by downloading top secret information while on a work placement with the intelligence agency has been jailed.
Hasaan Arshad, 25, was on secondment to the communications agency when he took his work mobile phone into a top secret area and connected the device to a workstation.
The Manchester University student downloaded the names of spies and risked exposing 17 colleagues in August 2022, the Old Bailey heard.
The computer expert, who is the son of a local councillor from Rochdale, Lancashire, has now been jailed for seven and a half years.
Arshad previously pleaded guilty to an offence under the Computer Misuse Act which carries a maximum penalty of life in prison.
He also admitted two charges of making an indecent photograph of a child in relation to 40 category A images and four category B images found on his personal phone following his arrest.
On Friday, Arshad appeared at the Old Bailey to be sentenced by Mrs Justice McGowan.
Prosecutor Duncan Atkinson KC said according to The Standard: ‘His actions created a significant risk of damage to national security for reasons that can only be fully explained in a private hearing.
‘In short, however, his actions compromised the security and utility of the material and the role it played in the national interest, and he also in the process put the safety of intelligence agency personnel at risk.’
Hasaan Arshad, 23, was charged under the Computer Misuse Act
In an embarrassing security incident for GCHQ, Arshad was working as an intern during a year-long university work placement when he managed to obtain the top secret data worth millions of pounds.
He transferred sensitive data containing the names of GCHQ employees from a secure computer in the Cheltenham to the phone before taking it home.
Arshad then transferred the data to a hard drive connected to his personal home computer.
After his arrest, investigators discovered a conversation on Arshad’s phone when he discussed ‘developed vetting’ in the cyber sector.
Arshad mentioned the term ‘bug bounty’ which refers to an amount of money that an individual could be paid for providing details of a digital bug to either fix or create a software issue.
Arshad stated: ‘You can get like 10k for simple info leaks.’
When he was interviewed by the police, Arshad gave officers a prepared statement in which he accepted that he removed data without authorisation.
But he insisted he had no intention of providing anybody with the data.
‘I would like to apologise for my actions,’ he said.
‘I removed the data simply out of curiosity to further develop some of the changes I was unable to complete during the course of my placement. I had intended to use my developments when I hopefully returned to my previous team.
‘I’m sorry for my actions and I understand the stupidity of what I have done.’
He stated that nobody had seen or had access to the sensitive data and no one was aware that he had it in his possession.
Pictured: The GCHQ base in Cheltenham
‘I understand the potential damage and risk when obtaining the data. I have accepted that I removed the data and the stupidity of doing so. I did take steps to ensure that the data was not compromised,’ he added.
At a previous hearing it emerged that the data removed was classified at ‘top secret’ and provided a ‘tool’ used by GCHQ.
The investment in the tool was said to amount to a ‘significant amount’ of taxpayer’s money.
Commercially, the data was potentially worth millions of pounds, prosecutors said.
The data contained the names of Arshad’s former colleagues and the protection of those names was said to be critical to the safety of GCHQ’s employees because of the counter-intelligence risks associated with such employment.
It could take many months or even years to develop a comparable tool and its compromise would have an impact on various organisations’ abilities and would ‘put lives at risk,’ it was said.
The keen computer gamer had previously attended a ten-week programme at GCHQ in 2019 designed to give participants vocational skills, for which he was screened at the lowest security check level.
He went on to study at Manchester University, later graduating with a masters in computer engineering after returning to GCHQ for a one-year placement between September 6, 2021 and August 26, 2022, when he was granted developed vetting (DV) security clearance, the highest level.
Two days before leaving his placement, he obtained the secret data.
‘Top secret’ is the classification for the Government’s most sensitive information, where compromise might cause widespread loss of life or threaten the security or economic wellbeing of the country or friendly nations.
Prior to his arrest, Arshad boasted on his LinkedIn page that he was a ‘skilled software engineer who can see ideas through from design to implementation,’ saying he had worked as a developer at a ‘government agency’ and had been tasked with designing, researching and implementing a key software project.
