What are considered data phishing sites and content infected with viruses, spyware or worms?

Published: 19 September 2017

Submit report

Illustration: data phishing sites and content infected with viruses, spyware or worms

Here, reports can be made of websites where users’ personal information, for example user name and password or bank card number, is requested to be provided with the presumed aim of misusing such data to the detriment of users.

This category includes websites that are presumably operated with the aim of collecting personal information from users and misusing it. Content that enables the spread of with viruses, spyware or worms are also fall in this category.

Phishing websites are typically designed to obtain information such as user names and passwords, social security numbers, bank account numbers, PIN numbers, credit card numbers, users’ birth dates and mothers’ maiden names.

It is important to note that unsolicited electronic mail (spam) does not fall within the competence of the Hotline and the National Media and Infocommunications Authority has a separate form for reporting spam, available at https://e-nmhh.nmhh.hu/e-nhh/4/urlapok/esf00101/.

Act C of 2012 on the Criminal Code

Misuse of Personal Data

Section 219

(1) Any person who, in violation of the statutory provisions governing the protection and processing of personal data:

a) is engaged in the unauthorized and inappropriate processing of personal data; or

b) fails to take measures to ensure the security of data;

is guilty of a misdemeanor punishable by imprisonment not exceeding one year.

(2) The penalty in accordance with Subsection (1) above shall also be imposed upon any person who, in violation of the statutory provisions governing the protection and processing of personal data, fails to notify the data subject as required, and thereby imposes significant injury to the interests of another person or persons.

(3) Any misuse of personal data shall be punishable by imprisonment not exceeding two years if committed in connection with special data.

(4) The penalty shall be imprisonment not exceeding three years for a felony if the misuse of personal data is committed by a public official or in the course of discharging a public duty.

Illicit Access to Data

Section 422

(1) Any person who, for the purpose of unlawfully gaining access to personal data, private secrets, trade secrets or business secrets:

a) covertly searches the home or other property, or the confines attached to such, of another person;

b) monitors or records the events taking place in the home or other property, or the confines attached to such, of another person, by technical means;

c) opens or obtains the sealed consignment containing communication which belongs to another, and records such by technical means;

d) captures correspondence forwarded by means of electronic communication networks - including information systems - to another person and records the contents of such by technical means;

is guilty of a felony punishable by imprisonment not exceeding three years.

(2) Any person who is engaged in gathering information with intent to determine the identity of any person who covertly cooperates with the covert investigation or law enforcement authorities, or with the secret service shall also be punishable in accordance with Subsection (1).

(3) Any person who discloses or uses any personal data, private secret, trade secret or business secret obtained by way of the means described in Subsections (1)-(2) shall be punishable in accordance with Subsection (1).

(4) The penalty shall be imprisonment between one to five years if illicit access to data under Subsections (1)-(3) is committed:

a) by the unlawful impersonation of an authority;

b) on a commercial scale;

c) in criminal association with accomplices; or

d) causing a significant injury of interests.

Breach of Information System or Data

Section 423

(1) Any person who:

a) gains unauthorized entry to an information system by compromising or defrauding the integrity of the technical means designed to protect the information system, or overrides or infringes his user privileges;

b) disrupts the use of the information system unlawfully or by way of breaching his user privileges; or

c) alters or deletes, or renders inaccessible without permission, or by way of breaching his user privileges, data in the information system;

is guilty of a misdemeanor punishable by imprisonment not exceeding two years.

(2) The penalty shall be imprisonment between one to five years for a felony if the acts defined in Paragraphs b)-c) of Subsection (1) involve a substantial number of information systems.

(3) The penalty shall be imprisonment between two to eight years if the criminal offense is committed against works of public concern.

(4) In the application of this Section ‘data’ shall mean facts, information or datum stored, controlled, processed and transmitted in information systems in all forms which allows them to be processed in information systems, including those programs designed to execute certain functions by the information systems.

Compromising or Defrauding the Integrity of the Computer Protection System or Device

Section 424

(1) Any person who, for the commission of the criminal offense defined in Section 375 or 423:

a) creates, transfers, supplies, obtains or places on the market passwords or computer programs required therefor or facilitating thereof; or

b) offers his economic, technical and/or organizational expertise to another person for the creation of passwords or computer programs required therefor or facilitating thereof;

is guilty of a misdemeanor punishable by imprisonment not exceeding two years.

(2) In the case of Paragraph a) of Subsection (1), any person who confesses to the authorities his involvement in the creation of any password or computer program required for the commission of the criminal offense, or facilitating thereof, before the authorities learned of such activities through their own efforts, and if the person surrenders such produced things to the authorities and assists in the efforts to identify the other persons involved, shall not be prosecuted.

(3) For the purposes of this Section ‘password’ shall mean any identifier comprised of a string of alphanumeric characters, codes, biometric data or the combination thereof, designed to gain entry into an information system or any segment thereof.