Businesswoman sentenced for illegally deleting company files

A woman has been prosecuted under the Computer Misuse Act (CMA) 1990 for deleting thousands of crucial files from the servers of a company that went into liquidation.

Danielle Bulley, former director of a property marketing firm, was found guilty of gaining unauthorised access to the servers of a new company that was created from its remains and deleting more than 5,000 documents.

The 58-year-old was charged with computer misuse offences and given an 18-month community order and unpaid work requirement when she appeared for sentence at York Crown Court, according to the North Yorkshire Police.

“During our investigation, it became clear that Bulley had left the original company on a bad note, but the deletion of thousands of files containing vital information was catastrophic for the victim. It dealt the new business a blow from which it never recovered,” said detective constable Steven Harris of the Cyber Crime Unit.

“Ex-employees can pose a serious risk to a business because they are familiar with the company’s IT infrastructure and procedures. This can make it easier for them to carry out cyber crimes against their former organisation.

“We encourage businesses to ensure they have policies in place for removing user accounts and changing passwords when an employee leaves an organisation.”

Bulley resigned as a director from the new property marketing business, which was launched using the assets of the old company after it went into liquidation. Several months later she gained access to the new company’s servers and permanently deleted all their data.

The individual who ran the new firm said her actions caused job losses and financial losses of nearly £100,000. The damage to the company was so extensive, he added, that the company could no longer operate and was forced to go under.

The North Yorkshire Police was approached and the Cyber Crimes Unit launched an investigation, with digital forensic investigations showing that company data had been remotely accessed by somebody using Bulley’s IP address.

She was questioned and admitted to deleting the files, which she believe she was entitled to do, though she said she knew so would disrupt the operations of the new company.

Only a handful of people are charged under the CMA 1990 each year, perhaps a few dozen according to the constabulary, and cases often tend to be isolated and localised. One example, from 2018, involves a motor industry employee being sentenced to six months in prison for accessing customer records using his colleague’s login details.

However, an organisation earlier this year branded the legislation as out-of-date and claimed it prevents cyber security professionals from properly doing their jobs. In a report published in January, the Criminal Law Reform Now Network (CLRNN) said the CMA imposed restrictions on journalists and academics investigating cyber threats in the public interest and is in dire need of reform.