What are the maximum prison sentences for online crimes such as hacking and cyberstalking in the UK?
Executive summary
The maximum prison terms for “hacking” in the UK depend on the specific Computer Misuse Act offence: basic unauthorised access carries up to two years, more serious access with intent up to five years, and unauthorised acts causing or risking serious impairment can reach ten years or more depending on statutory provision and harm [1] [2] [3]. Sentences for online fraud or cyber-enabled offences can be higher — several statutes and case law show punishments ranging from months to well over a decade — and “cyberstalking” is prosecuted under stalking/harassment laws whose maximum penalties depend on the underlying offence rather than a single cyber‑label [4] [5] [6].
1. Hacking: three tiers under the Computer Misuse Act and the headline maximums
The Computer Misuse Act 1990 is routinely described in three tiers: simple unauthorised access (often called Section 1/Level 1) is punishable by up to two years’ imprisonment; unauthorised access with intent to commit or facilitate further offences (Level 2/Section 2) carries a maximum of five years; and unauthorised acts with intent to impair, or recklessness as to impairing, the operation of a computer (Level 3/Section 3) may attract up to ten years’ custody in the most serious cases [1] [7] [3]. Multiple sources from criminal defence firms and legal guides repeat this tiering as the standard framework used in Crown Prosecution and defence practice [2] [8].
2. Aggravating provisions, higher ceilings and exceptional exposure
Some statutory strands and case law push those headline figures higher: Section 3ZA (serious damage) and similar provisions can extend maximum penalties — commentators cite possibilities of sentences up to 14 years or even life imprisonment where conduct causes very serious damage to human welfare or national security, while government proposals and earlier Serious Crime Bill language have contemplated life for attacks on critical infrastructure [8] [9]. Practical sentencing in real cases also shows wide variation driven by harm and scale: recent prosecutions resulted in sentences from months to over a decade depending on offences such as running fraud services, selling phishing kits, or administering fraud marketplaces (examples: 21 months, 26 months suspended, nine years, 13 years, seven years in various cases) [5].
3. Cyber-enabled fraud and malware: separate statutes, higher maxima
When hacking is used to commit fraud or is accompanied by malware distribution, different statutes and aggravating factors apply and often raise maximum exposure: Fraud Act prosecutions and offences involving large-scale deception or financial loss carry penalties up to 10 years or more, and courts have issued multi‑year sentences for operators of fraud shops, phishing kit sellers and malware vendors [4] [5] [10]. Legal guidance and prosecutorial briefs stress that “cyber-dependent” crimes (where the device is both tool and target) and cyber‑enabled fraud are assessed for harm, culpability and victim impact when determining sentence [6] [11].
4. Cyberstalking and online harassment: prosecuted under stalking/harassment law, not a single cyber maximum
“Cyberstalking” is not a freestanding maximum in the sources reviewed; the Crown Prosecution Service treats cyberstalking as often combined with traditional stalking or harassment offences and applies the stalking/harassment sentencing framework and relevant statutory maxima to the full conduct picture [6]. Because online harassment can be an aggravating feature of stalking cases, penalties vary according to the precise offence charged, the pattern of behaviour and whether threats or other criminal acts accompany the online conduct — none of the provided sources gives a single universal “maximum” years-for-cyberstalking figure [6].
5. What the numbers mean in practice — variability, case examples, and reporting limits
Published case sentences underscore that statutory maxima are ceilings rather than guarantees: courts have imposed anything from suspended sentences and months inside to multi‑year jail terms for different cyber offences, and specialised prosecutors emphasise harm and motive when charging [5] [11]. Reporting and law‑firm summaries converge on the two/ five/ten year framework for basic Computer Misuse Act charges but also show higher punishments where serious damage, large-scale fraud, or national‑security implications are proven — sources differ somewhat on the top-end labels (10 vs 14 years vs life) depending on which statutory subsection or policy proposal they cite [1] [8] [9]. The available reporting does not supply a single maximum sentence for “cyberstalking” because prosecution uses existing stalking/harassment laws rather than a distinct cyberstalking statute [6].