A university student accused of removing top secret information worth millions of pounds while on a work placement with GCHQ has pleaded guilty to causing a serious risk to national security.
While on secondment to the agency, Hasaan Arshad, 25, took his work mobile phone into a top-secret area and connected the device to a workstation.
He then transferred sensitive data, containing the names of GCHQ employees, from a secure computer to the phone before taking it home.
Arshad, the son of a local councillor from Rochdale, Lancashire, allegedly then transferred the data to his personal home computer.
Prosecutors said the data was potentially worth millions of pounds and contained a tool that could have “put lives at risk”.
On the first day of what would have been a three-week-long trial, he pleaded guilty to an offence under the Computer Misuse Act 1990, and admitted to creating a significant risk of serious damage to national security.
The 25-year-old also pleaded guilty to two charges of making indecent images of children. Pic: PA
Suspect discussed ‘bug bounty’ sale
After his arrest in 2022, Arshad gave a prepared statement to officers in which he admitted to removing the data but insisted he had no intention of providing it to someone else.
“I removed the data simply out of curiosity to further develop some of the changes I was unable to complete during the course of my placement,” he said.
“I had intended to use my developments when I hopefully returned to my previous team.
“I’m sorry for my actions, and I understand the stupidity of what I have done.”
Arshad then told the police he understood “the potential damage and risk,” but insisted nobody had seen or had access to the sensitive data.
Investigators found after his arrest that he used WhatsApp to discuss “developed vetting” in the cyber sector on 26 May 2022.
He also mentioned the term “bug bounty” – an amount of money paid for providing details of a digital bug to either fix or create a software issue.
In the chat, Arshad said: “You can get like 10k for simple info leaks.”
Read more:
Driving test waiting times hit record high
Prince Andrew accuser says she has days to live
Finnish president: Trump running out of patience with Putin
Prosecuters told a previous hearing the data removed was classified as “top secret” – including names of former colleagues whose anonymity was said to be critical to the safety of GCHQ.
“Top secret” is the classification for the government’s most sensitive information, where compromise might cause widespread loss of life or threaten the security or economic well-being of the country or friendly nations, according to Ministry of Justice security guidance.
The court also heard the data removed provided a “tool” used by GCHQ – said to amount to many thousands of hours of work and a “significant amount” of taxpayer money.
Prosecutors said that if the tool was compromised, it would “put lives at risk”.
Nina Grahame KC, defending, told the court that the plea had been made on “on the basis of recklessness as to the damage caused” rather than intent to cause damage.
She added that Arshad was 21 when he began his internship, 22 at the time of the offence, and the defence would submit psychiatric and psychological reports before sentencing in June.
He was released on bail and Mrs Justice McGowan ordered a pre-sentence report but warned him “that does not mean there will not be a custodial sentence.”
Arshad will be sentenced at London’s Old Bailey court on 13 June. He will also be sentenced for two offences of making indecent images of children, which he pleaded guilty to in 2023.
As part of the investigation into the GCHQ data breach, officers found Arshad had collected 40 “category A” images, the worst type, and four “category B” images on his Samsung phone.
