Case Details
- Citation: [2013] SGHC 141
- Title: Liew Cheong Wee Leslie v Public Prosecutor
- Court: High Court of the Republic of Singapore
- Date: 25 July 2013
- Judge: Choo Han Teck J
- Coram: Choo Han Teck J
- Case Number: Magistrate's Appeal No 91 of 2012
- Applicant/Appellant: Liew Cheong Wee Leslie
- Respondent: Public Prosecutor
- Counsel for Appellant: Wee Pan Lee (Wee Tay & Lim LLP); Wee Tay & Lim LLP (as indicated); Christopher Ong and Terence Chua (Attorney-General’s Chambers) for the Public Prosecutor
- Legal Area: Criminal Procedure and Sentencing – Sentencing
- Statutes Referenced: Computer Misuse Act (Cap 50A, 1998 Rev Ed) (“the Act”)
- Key Provisions: Sections 3(1) and 3(2); Section 2 definition of “damage”
- Charges: Five counts under s 3(1) and one count under s 3(2)
- Trial Outcome (Magistrate’s Court): Convicted on all six charges; fined $3,000 each for the first to fifth charges; and for the sixth charge, two weeks’ imprisonment and a $15,000 fine
- Appeals: Appellant appealed against conviction and sentence; Public Prosecutor cross-appealed against sentences
- Judgment Length: 4 pages, 2,129 words (as provided)
- Cases Cited: [2013] SGHC 141 (no other cases provided in the extract)
Summary
In Liew Cheong Wee Leslie v Public Prosecutor [2013] SGHC 141, the High Court dismissed the appellant’s appeal against conviction for offences under the Computer Misuse Act. The appellant, an engineer working on a power monitoring and control system (“PMCS”) at the Marina Bay Sands Integrated Resort, was found to have deliberately manipulated the system to cause a massive blackout at the resort. Although he argued that he was authorised to access the system as part of his employment, the court accepted the prosecution’s case that he used elaborate steps to obtain remote access and then executed commands inconsistent with any legitimate work purpose.
The court also addressed the Public Prosecutor’s cross-appeal on sentencing. While the appellant’s conviction for the sixth charge was upheld, the High Court held that the enhanced sentencing regime under s 3(2) of the Act was not properly made out on the facts pleaded and proved at trial. In particular, the prosecution had not particularised or proved “damage” as defined in s 2 of the Act. The court therefore amended the sixth charge to remove the reference to s 3(2) and imposed a sentence aligned with the other s 3(1) charges.
What Were the Facts of This Case?
The appellant, then 35 years old, was employed by Power Automation Pte Ltd (“PA”) from 17 January 2010 until 13 May 2010. During his employment, he was assigned to work at the Marina Bay Sands Integrated Resort (“MBS”), where PA acted as a sub-contractor for the setup and installation of a sophisticated computer system known as the “Power Monitoring Control System” or “PMCS”. The PMCS was described as a client/server system that collected status information from field devices (such as meters, circuit breakers, earth switches, battery chargers, UPS units, and network switches) and enabled monitoring and control of digitally controlled equipment throughout the resort, including the casino.
The PMCS was integrated into the resort’s electrical infrastructure. Electricity was drawn from the national grid at 22kV and distributed across the site, with step-down transformers reducing voltage to 400 volts for various sections. The casino’s circuit control switch box was located in the gear room, and the switch controlled the supply of electricity to the casino. There were also five generators on site as standby power, each rated at 6.6kV. The generator output was stepped up to 22kV and distributed across the site, then stepped down to 400 volts by transformers. The system included circuit breakers that could be controlled either locally or remotely; importantly, if the switch was set to “local”, the PMCS could not control the breakers, whereas in “remote” mode the PMCS could open or close them.
Operationally, the PMCS continuously monitored the status of the 22kV and 6.6kV distribution systems and automatically reacted to power failure conditions. It allowed operators to use a Human Machine Interface (“HMI”) at workstations to monitor and control the high tension (“HT”) system and to monitor low voltage main switchboards. The PMCS also maintained logs: an entry log recording time, identity, and actions each time the system was accessed, and an alarm log recording alarms upon malfunctions. Access to the PMCS was controlled by viewing accounts and operator-level accounts (OP1), each protected by passwords.
On 12 May 2010, a massive blackout occurred at the casino around 12.20am, affecting levels from the basement to level 3 of the northern section. The police were called because a security supervisor suspected that the blackout resulted from wilful tampering with the electrical system. After investigations, the appellant was charged with five counts under s 3(1) of the Computer Misuse Act and one count under s 3(2). The appellant claimed trial, was convicted on all six charges, and was sentenced to fines of $3,000 each for the first to fifth charges. For the sixth charge, he received two weeks’ imprisonment and a $15,000 fine. Both conviction and sentence were appealed.
What Were the Key Legal Issues?
The first key issue was whether the appellant’s conduct fell within the offence elements of s 3(1) of the Computer Misuse Act, particularly whether he “knowingly cause[d] [a] computer to perform any function” for the purpose of securing unauthorised access to program or data. The appellant’s central defence was that he was working on a project for his employer and therefore had authority to access the system. The court had to determine whether the evidence showed legitimate authorised access, or instead deliberate unauthorised access and misuse.
The second issue concerned the sixth charge under s 3(2). Section 3(2) provides for enhanced punishment where “damage is caused” as a result of an offence under s 3. The High Court therefore had to decide whether the prosecution had properly particularised and proved “damage” as defined in s 2 of the Act. This required careful attention to the charge as pleaded and the evidence actually led at trial.
Finally, the sentencing issues on appeal required the court to consider whether the trial judge’s sentence was correct in light of the statutory sentencing framework, and whether the Public Prosecutor’s cross-appeal justified enhancement beyond the sentences imposed for the s 3(1) charges.
How Did the Court Analyse the Issues?
On conviction, the court rejected the appellant’s attempt to characterise the case as non-hacking or authorised work. While the appellant argued that he was part of the project team and therefore did not overstep his authority, the High Court focused on the factual pattern of access and execution. The court accepted that sensitive and vital controls required special access codes, and it was not disputed that such access was controlled. The decisive point was that the appellant did not merely use existing authorised access in the course of his work; instead, the court found that he went through an “elaborate process” to give himself remote access through his personal computer.
The court also relied on evidence that the appellant added an email address, “ernie.masih@gmail.com”, to the system administrator in order to gain access. The court treated this as a significant indicator because the email address was his but was not used since 2009 and was not an address known to his employers. More broadly, the court concluded that the appellant completed layers of security commands to execute an instruction that caused the blackout. The court reasoned that the procedure required for such execution ruled out accidental activation. In the court’s view, the “inescapable conclusion” was that the appellant deliberately intended to cause the blackout.
Importantly, the court treated the absence of any legitimate instructions or reasons for the blackout as supporting the inference of “mischief”. Even if the appellant might have been angry with MBS or his employer, the court held that his actions were still an offence under s 3 of the Act because he had no authority to access the computer, and certainly no authority to use it to create a blackout at MBS. The High Court also noted inconsistencies in the appellant’s statements regarding whether he acted deliberately under the sixth charge, and found his explanation to be without merit. Accordingly, the appeal against conviction was dismissed.
On sentencing and the sixth charge, the High Court’s analysis turned on the statutory definition of “damage” and the prosecution’s duty to particularise the charge. The Public Prosecutor argued that the sixth charge should attract enhanced punishment because the act amounted to “intentional sabotage” and because the blackout caused damage. The court accepted that s 3(2) is an enhanced version of s 3(1) and that enhanced sentencing is available where “damage is caused”. However, the court emphasised that “damage” is not any harm or consequence; it is damage as defined in s 2 of the Act.
The court set out the statutory definition of “damage”, which includes specific categories: (a) impairment to a computer or integrity/availability of data or system/information causing loss aggregating at least $10,000 (subject to the one-year limitation), or other amounts prescribed by Gazette; (b) impairment affecting medical examination/diagnosis/treatment; (c) causing or threatening physical injury or death; and (d) threatening public health or public safety. The court stressed that these instances are “very specific” and that it is the prosecution’s duty to ensure that all particulars constituting the charge are given so that the accused knows exactly what he must defend against.
Crucially, the court found that the original sixth charge appeared to specify that the damage was under s 3(2)(a) because it contained the phrase “of at least $10,000” immediately after the words “causing damage”. But the charge was amended by striking out “of at least $10,000”. This indicated that the prosecution was not alleging and proving that the accused caused damage of at least $10,000. The High Court then observed that the amended charge did not state what damage was being alleged, and no evidence was led to detail the relevant damage category. The defence did not identify the gap, and the trial judge assumed that damage was proved, relying on reasoning about financial losses and reputational harm.
The High Court corrected this approach. It held that the trial judge’s reasoning about financial losses and reputational damage was not the “damage” particularised in the charge, and that a loss of reputation is not defined as damage under the Act. The court further rejected the prosecution’s attempt on appeal to frame the blackout as a threat to public safety. While the blackout might be a plausible threat in common sense terms, the court held that it was not particularised in the charge and was not the prosecution’s case at trial. No evidence was led to support that theory. In short, because damage was neither particularised nor proved, and because the trial judge made no findings on such damage based on evidence, the sixth charge could only be treated as a charge under s 3(1).
As a result, the High Court amended the sixth charge by deleting the words “Section 3(2) read with” and varied the sentence accordingly. The court imposed a fine of $3,000 and, in default, three weeks’ imprisonment—bringing the sixth charge’s sentence in line with the other s 3(1) charges. This demonstrates the court’s insistence on strict compliance with the pleading and proof requirements for enhanced statutory sentencing provisions.
What Was the Outcome?
The High Court dismissed the appellant’s appeal against conviction. It upheld the finding that the appellant deliberately intended to cause the blackout by executing unauthorised commands through the PMCS, and that his actions fell squarely within the offence elements of s 3 of the Computer Misuse Act.
However, the court allowed the sentencing aspect of the appeal in relation to the sixth charge. It amended the sixth charge to remove the s 3(2) enhancement basis and varied the sentence to a fine of $3,000 (with three weeks’ imprisonment in default), rather than the two weeks’ imprisonment and $15,000 fine imposed by the trial court.
Why Does This Case Matter?
Liew Cheong Wee Leslie v Public Prosecutor is significant for two main reasons. First, it illustrates how the High Court will assess “authorised access” defences in computer misuse cases involving operationally sensitive systems. Even where an accused is employed on a project and may have some legitimate access, the court will scrutinise whether the accused’s conduct was consistent with authorised use. The decision underscores that deliberate steps to circumvent security controls and execute harmful commands can negate any claim of lawful authority.
Second, the case is a strong authority on the procedural and evidential requirements for enhanced sentencing under s 3(2) of the Computer Misuse Act. The court’s insistence that the prosecution must particularise and prove “damage” as defined in s 2 is a practical reminder that enhanced penalties are not automatic consequences of serious outcomes. Prosecutors must plead the specific statutory category of damage and lead evidence to support it. Trial courts, in turn, must not substitute general notions of harm (such as reputational damage) for the statutory definition.
For practitioners, the case is therefore useful both for defence strategy and prosecution practice. Defence counsel can challenge enhanced charges where the pleading does not clearly identify the statutory “damage” category and where evidence is absent. Prosecutors should ensure that the charge sheet and evidence align with the statutory elements, particularly when seeking the higher sentencing range under s 3(2). The decision also provides a sentencing calibration approach: where s 3(2) is not made out, the court may revert to the baseline sentencing framework under s 3(1).
Legislation Referenced
- Computer Misuse Act (Cap 50A, 1998 Rev Ed), s 3(1) [CDN] [SSO]
- Computer Misuse Act (Cap 50A, 1998 Rev Ed), s 3(2) [CDN] [SSO]
- Computer Misuse Act (Cap 50A, 1998 Rev Ed), s 2 (definition of “damage”) [CDN] [SSO]
Cases Cited
Source Documents
This article analyses [2013] SGHC 141 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.