Unauthorized Access & UK Law: What Constitutes a Breach and How to Handle It

Introduction

In an era where digital access is crucial to business operations, the line between authorized and unauthorized actions can sometimes become blurred. Just because an individual has admin access does not automatically mean they have the right to perform certain actions, particularly when explicit conditions have been set.

This article explores unauthorized access under UK law, how businesses should handle such incidents, and why covering tracks can be legally and ethically problematic.

Let’s take a hypothetical scenario where a client, despite being given full admin access, makes a decision that leads to serious contractual and legal consequences—all because they did something they shouldn’t have.

A Hypothetical Case of Unauthorized Access Gone Wrong

Imagine a web development agency working on a new eCommerce platform for a high-profile client. The agency sets up a work-in-progress development site, making it clear that:

✅ The client has admin access for transparency.
✅ The client must not install, remove, or change anything.
✅ The agency is responsible for backups, security, and project integrity.
✅ The agency owns all contents of its server, and deliverables are provided upon project completion.

Despite these conditions, the client decides to log in and create a full backup of the work-in-progress site without informing the agency. This might seem harmless at first, but what follows is a legal and operational nightmare.

What Went Wrong?

🚨 The client took a backup but failed to properly secure it.
🚨 The backup contained sensitive API keys, unencrypted agency test data, and configuration files.
🚨 The file was uploaded to a third-party storage service with poor security settings, exposing the business to data leaks.
🚨 The client, realizing the mistake, deleted logs and records to cover their tracks.

Unauthorized Access: A Breach of Contract and the UK Computer Misuse Act 1990

Under the UK Computer Misuse Act 1990, unauthorized access is defined as:

"A person is guilty of an offence if they cause a computer to perform any function with intent to secure access to any program or data held in any computer where access is unauthorized."

In a contractual setting, unauthorized access can also constitute a serious breach of contract, especially if it leads to:
✅ Data compromise or exposure of sensitive business information.
✅ Disruption of project integrity, leading to additional costs for remediation.
✅ Security vulnerabilities, making systems more susceptible to cyber threats.

In our hypothetical case:

❌ Taking an unauthorized backup – Violates the agreement between the agency and the client.
❌ Removing or altering data logs – Could be classed as an attempt to cover up unauthorized actions, which can have legal implications.

Legal Implications

Depending on the severity of the action, the individual or company responsible could face:

• Civil action for breach of contract – If the agency suffers damages, they can sue for financial loss.
• Criminal liability under the Computer Misuse Act – If intent to cause harm is proven.
• GDPR violations – If customer data was included in the backup and exposed.

Handling Unauthorized Access as a Business

If a company suspects unauthorized access, the following steps should be taken immediately:

1. Log & Preserve Evidence

✅ Check server logs, file modification records, and access timestamps.
✅ Preserve a copy of all logs before any further access occurs.
✅ Document everything—who, what, when, and where.

2. Assess the Impact

🚨 Was data leaked, modified, or deleted?
🚨 Does the action create a security vulnerability?
🚨 Does it breach any data protection regulations (GDPR, PCI DSS, etc.)?

3. Communicate Internally & Externally

🔹 If an employee was responsible, follow internal disciplinary procedures.
🔹 If a client was responsible, document the violation and discuss corrective actions.
🔹 If legally required, report the breach to the Information Commissioner’s Office (ICO).
🔹 Finally, the hardest choice one may ever have to make in business—escalating the matter to law enforcement if necessary.
🔹 If an employee was responsible, follow internal disciplinary procedures.
🔹 If a client was responsible, document the violation and discuss corrective actions.

4. Restore & Secure the System

🔐 If necessary, restore backups and resecure compromised assets.
🔐 Consider changing admin credentials to prevent further unauthorized actions.
🔐 Implement additional security measures (logging enhancements, access monitoring, etc.).

The Danger of Covering Tracks

One of the biggest mistakes individuals make when they realize they’ve overstepped boundaries is attempting to hide their actions. Under UK law, this can escalate the severity of the offense significantly:

• Tampering with logs or altering records could constitute intent to mislead an investigation, which may carry additional legal consequences.
• Deleting critical files to remove evidence may be considered intentional damage, potentially leading to criminal charges.
• Failure to disclose a security incident—whether deliberate or not—could result in severe regulatory penalties under GDPR and other data protection laws.

🚨 Attempting to cover up unauthorized access often worsens the situation. Transparency and accountability are always the best course of action.

Lessons Learned: Think Before You Act

This case highlights why it’s crucial to respect boundaries, even when you have admin access. Just because you can do something, doesn’t mean you should. If you’re ever in doubt:

✅ Ask before taking any action outside the agreed scope.
✅ Consider the legal and operational risks of your actions.
✅ Understand that accountability matters—both for businesses and individuals.

At the end of the day, unauthorized actions—whether intentional or not—can lead to major repercussions. A single mistake could compromise security, trust, and legal standing.

🚀 Need expert cloud security and compliance support? AKADATA is here to help!