You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
The Computer Misuse Act 1990 (CMA) is a UK law that was introduced to deal with the growing problem of computer crime. Before this act, there was no specific law to deal with hacking, viruses, or other forms of computer-based crime.
In 1984, two hackers — Robert Schifreen and Stephen Gold — gained unauthorised access to BT's Prestel email system and even accessed the Duke of Edinburgh's email account. They were prosecuted under the Forgery and Counterfeiting Act 1981, but the case was eventually overturned by the House of Lords because the existing laws were not designed for computer crime.
This highlighted the need for a specific law addressing computer misuse, leading to the Computer Misuse Act 1990.
The CMA defines three key offences:
Examples:
Examples:
Examples:
The Police and Justice Act 2006 added a new offence:
Examples:
Exam Tip: Be careful to distinguish between the three sections. Section 1 is about access without permission (even if you do not do anything harmful). Section 2 adds criminal intent. Section 3 involves causing damage. Many students confuse these in exams.
flowchart TD
CMA[Computer Misuse Act 1990]
CMA --> S1["Section 1<br/>Unauthorised Access<br/>Max 2 years"]
CMA --> S2["Section 2<br/>Access + Intent to<br/>Commit Further Offence<br/>Max 5 years"]
CMA --> S3["Section 3<br/>Unauthorised Acts<br/>Impairing Operation<br/>Max 10 years"]
CMA --> S3A["Section 3A 2006<br/>Making/Supplying<br/>Hacking Tools<br/>Max 2 years"]
S1 --> E1["Guessing passwords<br/>Reading emails"]
S2 --> E2["Hacking to steal<br/>Identity theft"]
S3 --> E3["Viruses / Malware<br/>DoS / Ransomware"]
S3A --> E4["Selling password lists<br/>Malware kits"]
Despite being updated, the CMA has several limitations:
| Limitation | Explanation |
|---|---|
| Outdated | Written in 1990, before the internet, smartphones, and cloud computing existed |
| International crime | Cybercrime often crosses national borders, making prosecution difficult |
| Detection | Many cybercrimes are hard to detect and even harder to trace back to the perpetrator |
| Deterrence | Penalties may not be severe enough to deter sophisticated criminals |
| Ethical hacking | The law does not clearly distinguish between malicious hackers and ethical hackers (security researchers who find vulnerabilities to help fix them) |
| Case | Offence | Outcome |
|---|---|---|
| TalkTalk hack (2015) | A teenager gained unauthorised access to TalkTalk's customer database (157,000 records) | The teenager was sentenced under Section 1 and 3 of the CMA |
| NHS WannaCry attack (2017) | Ransomware affected NHS hospitals across the UK | Attributed to North Korean hackers — prosecution was not possible due to international jurisdiction |
| Lulzsec group (2011) | Hacked Sony, the NHS, and other organisations | Members were prosecuted under the CMA |
The Computer Misuse Act 1990 (CMA) does not operate in isolation. An effective GCSE answer shows how the CMA interacts with the Data Protection Act 2018 / UK GDPR, the Copyright, Designs and Patents Act 1988, the Fraud Act 2006, and the Investigatory Powers Act 2016. Hacking a database almost always triggers CMA offences and a data breach notifiable to the Information Commissioner's Office (ICO) within 72 hours; distributing stolen software adds copyright infringement; using stolen credentials to obtain money engages the Fraud Act 2006.
Section 1 — Unauthorised access to computer material. The prosecution must prove the defendant caused a computer to perform a function with intent to secure access to any program or data, knowing the access was unauthorised. The bar is deliberately low: merely trying to log in with a guessed password can qualify. There is no need to prove damage or financial loss.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.