Digital lock-pick: Illegal access to passwords

MUSCAT, JUNE 21
Obtaining a password, security code, access token, or any other means of entry into an information system or website without legal authorisation constitutes a cybercrime punishable under Omani law, legal experts have stressed.
With the rapid expansion of digital services and the growing reliance on electronic platforms across government institutions, businesses and individuals, the protection of digital credentials has become a fundamental component of cybersecurity and information protection.
Legal practitioners note that passwords and security credentials serve as the primary gateway to electronic
accounts, information systems and online services. Any unauthorised attempt to obtain or access such credentials exposes individuals and organisations to significant risks, including data breaches, financial losses, identity theft and unauthorised disclosure of confidential information.
Cybercriminals often employ a range of methods to acquire login credentials unlawfully. These include phishing attacks, fraudulent websites, malicious software, social engineering techniques and the exploitation of technical vulnerabilities. Regardless of the method used, unauthorised acquisition of access credentials remains a criminal act under the law.
According to legal provisions governing cybercrime in the Sultanate of Oman, intentionally obtaining, without lawful right, a password, code, secret number or any other means used to access an information system, website or information technology facility is a criminal offence.
The law prescribes penalties that may include imprisonment for up to one year, a fine of up to RO 100,000, or either of the two penalties, reflecting the seriousness with which such offences are treated and the importance of safeguarding digital infrastructure and personal data.
Lawyer Khalid bin Hamad al Ghailani stressed that 'protecting passwords and secret codes is no longer just a technical matter, but has become a legal obligation that enjoys clear legislative protection. Obtaining any means that enables access to an information system without legal basis is a criminal act, due to what may result in a violation of privacy or harm to the financial and commercial interests of individuals and institutions.'
Legal experts further explain that criminal liability may arise from the unauthorised acquisition of access credentials itself, even before any subsequent misuse of the information occurs. The legislation seeks to protect the confidentiality and integrity of information systems from the earliest stage of unlawful interference.
As Oman continues to advance its digital transformation agenda and expand electronic services, maintaining public trust in digital platforms remains a national priority. Ensuring the security of information systems requires not only robust legal frameworks but also increased public awareness of cyber risks and responsible online behaviour.
Experts advise users to adopt strong passwords, enable multi-factor authentication, avoid sharing confidential login information and remain vigilant against suspicious messages and fraudulent links.
Organisations are also encouraged to strengthen cybersecurity measures, conduct regular system updates
and provide ongoing awareness programmes for employees.
The growing digital landscape presents significant opportunities for innovation and economic development. However, preserving the security of electronic systems and protecting sensitive information remain shared responsibilities that require cooperation between individuals, institutions and regulatory authorities.
By criminalising unauthorised access to passwords and digital credentials, Omani legislation reinforces the protection of privacy, strengthens cybersecurity and contributes to the creation of a safer and more trusted digital environment.