GCHQ intern took home top-secret data on his phone

Data was worth millions according to prosecutors

University student pleaded guilty to taking home top secret information and placing national security at risk

A former student of Manchester University, Hasaan Arshad, 25 has pleaded guilty to removing top secret information from GCHQ, the UK’s intelligence and security organisation, on his phone, and downloading it onto another device.

Speaking yesterday at the Old Bailey, Arshad admitted that on August 24, 2022, whilst he was working as an intern, he took his phone into a highly secure area of GCHQ and downloaded top secret information – including some staff names – then returned home and transferred the stolen data to an external hard drive connected to his PC. Arshad did this two days before his year-long placement was due to finish.

Arshad pleaded guilty to breaking Section 3ZA of the Computer Misuse Act 1990, by "unauthorized acts causing, or creating risk of, serious damage."

Prosecutors said that the data exfiltrated by Arshad was not only top secret, it was also worth millions of pounds and had been developed using a "significant amount" of taxpayer money.

On September 22, 2022, Arshad was arrested and his home searched. When his computer was searched investigators found that he had created two indecent images of a child. Arshad has already pleaded guilty to charges relating to those crimes in 2023.

In a prepared statement to police, Arshad denied a financial motive. He admitted to

removing the data but said he did so “out of curiosity”.

"I removed the data simply out of curiosity to further develop some of the changes I was unable to complete during the course of my placement," he said. “I had intended to use my developments when I hopefully returned to my previous team.“

In the statement Arshad apologised and said he was aware of the stupidity of his actions. He continued:

“I understand the potential damage and risk when obtaining the data. I have accepted that I removed the data and the stupidity of doing so. I did take steps to ensure that the data was not compromised."

The court heard that, prior to his arrest, Arshad had used WhatsApp to discuss "developed vetting" in the cyber sector on 26 May 2022. The messages made references to a bug bounty. One post from Arshad in the chat said, "You can get like 10k for simple info leaks."

Arshad’s lawyer, Nina Grahame KC, argued that her client’s crime was one recklessness as opposed to an intent to cause damage. She added that Arshad was 21 when he began his internship and 22 at the time of the offence.

Arshad is currently out on bail and banned from using the dark web as part of the terms of his release. Sentencing is due on June 13th.