A GCHQ intern endangered national security, risked exposing 17 colleagues, and “threw away” thousands of hours of work when he took Top Secret data home, a court has heard.
Manchester University computer science student Hasaan Arshad, 25, was in “flagrant breach” of tight security rules when he used his mobile phone to remove material from a computer system and transfer it to his private computer on August 24 2022.
Arshad, from Rochdale, Greater Manchester, pleaded guilty to an offence under the Computer Misuse Act which carries a maximum penalty of life in prison.
He also admitted two charges of making an indecent photograph of a child in relation to 40 category A images and four category B images found on his personal phone following his arrest.
On Friday, he appeared at the Old Bailey to be sentenced by Mrs Justice McGowan.
The court was told that part of the hearing – including a detailed assessment of the harm caused – would be outlined behind closed doors in the absence of the press and public.
However, the court was told that Arshad’s actions “lost a tool” being developed at GCHQ, risked exposing the identities of 17 GCHQ colleagues, and undermined the trust of partners.
Opening the facts in open court, prosecutor Duncan Atkinson KC said: “His actions created a significant risk of damage to national security for reasons that can only be fully explained in a private hearing.
“In short, however, his actions compromised the security and utility of the material and the role it played in the national interest, and he also in the process put the safety of intelligence agency personnel at risk.”
The Government Communications Headquarters – known as GCHQ – is the UK’s intelligence, security and cyber agency and plays an important role in keeping the country safe, in conjunction with MI5 and the Secret Intelligence Service (MI6).
The highest levels of security are needed for GCHQ to carry out its work to gain information about threats to the UK from “hostile states or terrorists” by using lawful covert tools and techniques, the court was told.
Mr Atkinson said: “Put bluntly, if hostile states or terrorists were aware of how GCHQ was able to gather intelligence about their plans, they would be able to prevent the intelligence community in the UK from learning of those plans at a stage and to an extent that allows the intelligence community to thwart them.”
At the time of the offence, Arshad was coming to the end of an industry year placement with a technical development team which required him to work at a secure GCHQ site near Cheltenham, Gloucestershire, and use computer systems.
The court heard he was part of a team that worked on the development of “tools and techniques” to obtain information about threats to the UK.
Arshad had undergone GCHQ induction and was required to sign the Official Secrets Act.
It was made “abundantly clear” to Arshad that his access to top secret material had to be in controlled circumstances at “an extremely secure location”, Mr Atkinson said.
He went on: “In flagrant breach of those obvious and necessary restrictions, the defendant used a mobile handset provided for his use whilst on his work placement but with strictly confined scope as to its permitted use, to remove Top Secret material from the top secret network of the technical development team to which he had been attached.
“He then transported that material from the secure location where he had been working to his home, risking it falling into the wrong hands or being lost, and downloaded it onto a removable hard drive which formed part of IT system that he used at his home address.
“This home computer system wholly failed to match the necessarily exacting security requirements of GCHQ’s systems, and therefore exposed this Top Secret material to the vagaries and risks of an unsecure computer system connected to the internet at an insecure location.
“This significant security breach compromised lawful intelligence related activity that was being undertaken in the national interest. In doing so, he threw away many thousands of hours of work, and significant sums of taxpayers’ money.”
Mr Atkinson said his actions had damaged “confidence in UK security” because the data included the identities of a “significant number” of GCHQ colleagues and put others’ safety at “direct risk”.
Following his arrest, the defendant admitted removing data without authorisation “out of curiosity”.
He said in a statement that he had no intention to hand over the data to anyone else.
He told police: “I would like to apologise for my actions. I removed the data simply out of curiosity.
“I’m sorry for my actions and I understand the stupidity of what I have done.”
Arshad said he “went out of my way” to ensure the data was stored locally and not in the cloud.
Asked if he had breached the level of trust and confidence by removing the sensitive data without authority, he replied: “No comment.”
Mitigating, Arshad’s lawyer Nina Grahame KC said the defendant had been “reckless” “thoughtless and naive”.
His internship had involved working on a “specific project” which he had been unable to complete before the end of the placement, she explained
He took the data home because he wanted to “continue and complete the most exciting and challenging work the defendant had ever undertaken” in the hope of gaining future employment at GCHQ, Ms Grahame said.
