Ransomware attacks and data leaks have become common across the world.
Criminal groups infiltrate computer systems, steal personal or institutional data, and demand payment in exchange for not publishing it. If the ransom is not paid, they often release the information in stages — first on illegal websites, then accomplices gradually move some of this information to public platforms. Unfortunately, in some cases, ordinary users thereafter share it without realising the legal or ethical consequences.
Globally, several legal frameworks have been established to address cybercrime and protect individuals’ data privacy.
One of the most significant is the Budapest Convention on Cybercrime, which promotes cooperation between countries to investigate and prosecute cyber offences. Another is the EU’s General Data Protection Regulation (GDPR), which not only requires institutions to protect personal data but also imposes consequences for the misuse or unauthorised dissemination of such information.
Sri Lanka was South Asia’s first signatory to the Budapest Convention and has taken steps to incorporate its principles into domestic legislation. One such piece of legislation is the Computer Crimes Act No. 24 of 2007. This Act contains several important provisions relevant to the public:
• Section 3 makes unauthorised access to computer systems a criminal offence — applying to hackers or anyone who breaks into data storage systems.
• Section 6 prohibits the unlawful disclosure of information obtained through such access — including the initial publication of stolen content.
• Section 7 extends responsibility further by making it illegal to assist in the commission of these offences. This means that people who share or repost hacked content — even casually or without understanding the full context — may be seen as contributing to the crime.
The most effective way to protect yourself — and others — is to avoid interacting with leaked content altogether. Do not share, repost, or download content you suspect may have come from a data leak or hacking incident, and avoid commenting on or engaging with such posts, as increased engagement can help them spread.
Even if an investigation is not launched immediately, digital traces remain — and individuals involved in the circulation of stolen material may be called upon to explain their actions months or even years later.
In the event you do come across content that you know or believe to be from a data leak or hacking incident, report the incident to the relevant platform and consider informing the authorities.
