Yesterday the Norfolk Constabulary investigating the hack formally closed the investigation, known as Operation Cabin, without any conclusion. The reason, it said, was that they had no realistic leads. Since the Computer Misuse Act has a three year limit on proceedings from the commission of the original offense, further investigation would be a waste of public money.
While having no evidence on who was behind the hack, the police have quite clearly dismissed much of the speculation that has continuously surrounded the incident. It was not an insider nor a whistleblower; there is no evidence to suggest it was a nation-state; there is nothing to suggest that a commercial organization was trying to defend its position. What they do know is “that the data breach was the result of a sophisticated and carefully orchestrated attack on the CRU’s (Climate Research Centre at the university) data files, carried out remotely via the internet. The offenders used methods common in unlawful internet activity to obstruct enquiries.”
In a subsequent press conference Detective chief superintendent Julian Gregory explained further. “We identified that the attackers breached several password layers to get through and they got to a position where they employed different methodologies to return the data. We identified a significant quantity of data that was taken in this way, certainly in excess of that which was subsequently published in the two files in 2009 and 2011.” Furthermore, he added, “The attack was conducted over a period of time and access would have occurred on a number of occasions and certainly more than three.”
Speaking afterward to the Guardian, DCS Gregory was asked, “So they have got away with it, haven't they?”. He replied, “Essentially, yes. Much to our disappointment, of course.”