Data Theft - Selling and Trading Stolen Data

Data Theft

Selling and Trading Stolen Data

Michèle Trebo
by Michèle Trebo
on June 09, 2022
time to read: 7 minutes


This is How to Handle Data Theft

  • The offence of data theft does not exist explicitly in the Swiss Criminal Code SCC
  • However, there are a number of legal articles that can be applied in the case of data theft
  • These include, for example, theft under Art. 139 SCC
  • Furthermore, unauthorised access into a data processing system under Art. 143 bis 182 SCC may also apply
  • Extortion under Art. 156 SCC can also be relevant
  • And finally, handling stolen goods under Art. 160 SCC

Data theft is a term that does not explicitly exist in the Swiss Criminal Code SCC, but is nevertheless punishable. The Handling stolen goods in Art. 160 SCC states that a thing in this case data of which it is known or must be assumed that another has obtained, acquires, allows to be given, takes as a pledge, conceals or helps to dispose of by criminal acts against property, is punishable by a custodial sentence of up to five years or a monetary penalty. If the perpetrator acts commercially, he or she is liable to a custodial sentence of up to ten years or a monetary penalty of not less than 90 daily penalty units. But what does that mean exactly?

Before data theft can occur at all, the data must first have been obtained through a criminal act against property. This often involves unauthorised intrusion into a data processing system, as punishable under Art. 143 bis 182 SCC. For example, an unknown perpetrator, we call them the Beagle Boys, penetrates the data processing system of the company Duck and steals sensitive customer data. Not only the unauthorised intrusion into the data processing system, but also the theft of the data (theft under Art. 139 SCC) already fulfil criminal offences.

How does data theft work?

Now the Beagle Boys are in possession of the Duck company’s customer data and want to earn money with it. They can do this in two ways. Either they blackmail the Duck company (extortion under Art. 156 SCC) by contacting it and demanding a certain amount of money for the return/deletion of the data, or they offer the customer data for sale on the web. The fences, in this case the Beagle Boys, are punished according to the penalty of the predicate offence if it is milder. If the predicate offence is an application offence, the receiving of stolen goods is only prosecuted if there is an application for prosecution of the predicate offence (handling of stolen goods under Art. 160 SCC). In the case study, the Beagle Boys decide to offer the stolen customer data of the Duck company for sale on an online marketplace for leaked data. Donald discovers the offer of the safecrackers and also wants to profit from this data. He transfers cryptocurrency to the Beagle Boys and receives the leaked data of the Duck company in return. By buying this data, Donald has already made himself liable to prosecution for handling stolen goods under Art. 160 SCC. If he sold the data, that would also be punishable.

Data theft vs. ransomware

Data theft should not be confused with ransomware. With ransomware, the perpetrators extort a ransom for the release of a computer or the data on it. In contrast to data theft, the perpetrators use malware to prevent access to data, its use or the entire computer system.

Protection from cyber attacks

Whether as a private individual or a company, it is no longer possible to imagine life without being informed about cyber attacks and protecting oneself accordingly. If you don’t want to become a victim, you should regularly check for serious cases in order to detect vulnerabilities and be able to remedy them at an early stage.


Private individuals are advised to keep their web browser, operating system and software up to date. In addition, virus protection and a firewall make it more difficult for a possible attacker to gain access. In general, care should be taken to choose a secure password and a separate password for each log-in. A password manager can help with this. Passwords should be at least ten characters long, contain upper and lower case letters, numbers and special characters. It is also not recommended to choose passwords that are associated with the user or contain actual words. Furthermore, security regarding log-in can be improved by opting for two-factor authentication where possible. Before opening an email or its attachment, it is important to consider what might be behind it. Downloads should also be considered carefully. In addition, care should be taken to always use an encrypted internet connection (HTTPS).


Companies are recommended to review the security model at regular intervals or have it reviewed. Security assessments, penetration tests, etc. can provide information about possible vulnerabilities. can provide information about possible weak points. It is also important to sensitise employees to possible cyber attacks and to train them in the use of the infrastructure. An emergency concept for the case of an emergency can help to be able to react promptly and correctly. External data back-ups and secure data exchange are also ways to counteract cyber attacks.

Behaviour in an emergency

What do you do if you become a victim of data theft despite taking all precautions? First, check how high the probability is that the perpetrator is actually in possession of your data. It is possible that they only want to get their hands on money and that the actual data is not available at all. For example, you can ask the perpetrator for a sample data set. If there is a possibility that the perpetrator has the real data, appropriate measures should be taken. It is not advisable to pay the demanded amount of money. This is because there is no guarantee that the perpetrator will not subsequently resell or delete the leaked data. In this case, it is recommended to contact specialists.


Cyber attacks have become part of everyday life and should not be ignored. With simple tricks, you can prevent such attacks and protect not only yourself, but also your company. Especially in an emergency such as data theft, you should react correctly and be prepared. Data theft does not exist explicitly in the Swiss Penal Code. Nevertheless, it is punishable and several criminal offences can be fulfilled. For example, theft under Art. 139 SCC, unauthorised access into a data processing system under Art. 143 bis 182 SCC, extortion under Art. 156 SCC and handling stolen goods under Art. 160 SCC may apply. If you are not sure whether you are sufficiently protected or have been the victim of a cyber attack, we will be pleased to assist you.

About the Author

Michèle Trebo

Michèle Trebo has a Bachelor of Information Technology at ZHAW and worked six years as a police officer in the field of cyber crime investigations. She is responsible for criminal research topics like darknet analysis, cyber threat intelligence, fraud investigation, and forensics. (ORCID 0000-0002-6968-8785)


Is your data also traded on the dark net?

We are going to monitor the digital underground for you!



Michèle Trebo

Sealing of Evidence in Criminal Proceedings

Sealing of Evidence in Criminal Proceedings

Michèle Trebo

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here