SLC wire transfer fraud: Experts confirm system ‘compromised’
Sri Lanka Cricket’s (SLC) IT system was so badly protected that it was left wide open to hacking, the Computer Emergency Readiness Team (CERT) says in a detailed report issued to the National Audit Office (NAO). But it does not rule out the possibility of inside involvement in the alleged wire transfer fraud that took place last year.
While it remains unclear who the perpetrators behind the attempted fraud are, an ongoing criminal investigation may take a fresh turn after CERT and the NAO found the IT system vulnerable to compromise. SLC has not, they say, maintained strong and proper IT policies such as data backup, data retention, comprehensive IT policy and BYON (bring your own device).
“It is clear that this incident took place due to the lack of proper (well documented) IT policies at Sri Lanka Cricket,” CERT concludes. If such policies had been implemented “this incident could have been identified and rectified”, it said.
SLC’s Head of Finance (HoF), was sent on compulsory leave in September 2018 pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 187,000 due for South Africa’s tour of Sri Lanka to an account in Banamex Bank, Mexico.
He also allegedly told Sony Pictures to remit a further US$ 5.5mn (the first broadcast payment for the England tour of Sri Lanka) to an account in the Hang Sang Bank in Hong Kong in the name of an entity called Fanya Silu Co Ltd.
This was to be credited automatically to the Banamex Bank in Mexico, by way of an electronic wire transfer where money is sent to the final beneficiary’s bank account via an intermediary bank.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case. The CID has made little progress though.
The NAO was requested by the Ministry of Sports to conduct a forensic audit. The draft report, a copy of which is in the possession of the Sunday Times, shows this wasn’t the first time an attempt had been made to get the money deposited in a foreign bank.
On July 4, 2018, the HoF issued instructions–copied to Chief Executive Officer Ashley de Silva–to Sony to transfer a sum of US$ 436,531.08 (the second instalment of the South African series) to SLC’s Bank of Ceylon (BoC). But on July 12, the HoF asked that the payment be made to a Wells Fargo account abroad. By then, however, the money was already in the BoC account.
Piyal Nandana Dissanayake, the HoF, has maintained consistently that his email was hacked. The SLC’s IT division repeatedly dismissed his position saying it had foolproof controls (Office 365 login). The CERT and the NAO reject this. They say SLC could have avoided the scam had strong IT policies been in place.
“At this point, it is hard to determine which side of this email accounts were compromised,” the CERT report states. “But it is clear that either Sony Pictures Network India (PVT) Ltd or Sri Lanka Cricket email accounts were compromised or may be even both the sides. More information on this can be gathered after reviewing Sony Pictures Network India (PVT) Ltd email accounts settings, email headers and email logs”.
“After going through the email settings, email headers and email logs of Head of Finance, CEO and Head of Finance’s Secretary, it is possible to determine that there have been a series of suspicious activities involved during the time period of 1st of July to 10th of August 2018,” the report says. “But due to the lack of email logs and system logs it is not feasible to identify the IP addresses of the suspicious activities with the date and time.”
Even though Microsoft 365 keeps email logs for 90 days, the IT department provided logs only for 30 days from August 12 to September 11, 2018. This has raised doubt in the NAO of a deliberate attempt to hide vital information.
“Finally, it is not feasible to determine the Internet Protocol address (IP) of the person who had added the forwarder to head of finance email account because there were no email logs provided by the IT manager of Sri Lanka Cricket,” CERT says. “Email logs are available only from August 12, 2018, onwards. According to Microsoft, Office 365 keeps logs for period of 90 days and after verbal discussions with Microsoft, network admin can extend days to 180.”
The draft forensic audit says the IT manager could deliberately be hiding information. “We cannot rule out the possibility of an attempt by the IT manager to hide the information by not getting the emails logs for the maximum period,” the NAO’s own conclusions say.
According to the CERT report, the IT manager is capable of viewing emails and deleting logs related to each user. He can read anyone’s emails and is able to understand the business flow and, if interested, how the organization is operating.
“As mentioned earlier, this is a serious privacy issue because the IT manager can eavesdrop into the sensitive information,” CERT says. “For example, if the IT Manager of Sri Lanka Cricket wants to know how the invoices are generated in Sri Lanka Cricket it is possible to do so.”
“The IT manager is capable of adding email forwarders to anyone’s email account without getting into the user email accounts,” CERT has found. “This function is needed when an employee leaves the Department or Office, where the IT manager should be in a position to redirect that person’s emails to a higher authority or someone responsible.”
“This facility can also be misused by the IT manager,” it continued. “But that particular email account holder will get a notification saying that an email forwarder been added to his/her account. Finally, considering all the powers and responsibilities granted to the IT Manager by Sri Lanka Cricket and Microsoft 365, it is clear that Microsoft 365 is operating purely based on the IT manager’s loyalty and trust.”
In March—six months after being assigned the task of conducting a fact-based investigation on incoming proceeds related to media broadcasting rights—Ernst & Young, a reputed audit firm, found after extensive analysis of the email transactions that emails, particularly those containing instructions to transmit money into an offshore account that did not belong to SLC, originated from a fake Internet Protocol (IP) address.