21-year-old Lewys Martin, of Deal in Kent, targeted the websites of Oxford and Cambridge Universities by carrying out Denial of Service attacks and hiding his IP address. He also defrauded businessman David Bradley and attacked a server belonging to Kent Police.
The Court of Appeal heard from Martin’s lawyers that his sentence was too long because he had only slowed the websites down. His appeal was rejected by a panel of three judges on the grounds that a deterrent was needed.
An Oxford University spokesman said that “where appropriate, improvements have been made”.
The university has numerous defences in place to defend against such attacks and appropriate mitigating action was taken. As a result the impact was kept to a minimum and normal service was resumed very quickly.
“No systems or information were compromised as a result of these attacks however, as is the usual procedure following any security incident, all security controls were reviewed following this attack and, where appropriate, improvements have been made.”
At the time, it was estimated that two weeks of manpower were used to deal with the attacks on both of the Oxford and Cambridge sites.
During his trial, Martin had pleaded guilty to nine offences. The charges included one count of unauthorised access to computer material as well as a further five counts of unauthorised acts with the intent to impair computer function.
Denial of Service attacks work by sending multiple requests for information, causing the website to stop functioning as intended.
The attacks, in 2011 and 2012, rendered Oxford’s website unusable. Martin was part of the “hacktivist” group NullCrew, and also went by the username Sl1nk.