Bingo!!!
The National Audit Office (NAO) has become the third agency to confirm that the email accounts of Sri Lanka Cricket (SLC) were compromised but has come no closer to unraveling who is responsible for the alleged wire transfer fraud last year.
The NAO conducted a forensic audit on the Sports Ministry’s request after the SLC Head of Finance (HoF) was sent on compulsory leave in September 2018 pending inquiry into allegations that he instructed Sony Pictures Networks India (Pvt) Ltd to transfer US$ 187,000 due for South Africa’s tour of Sri Lanka to an account in Banamex Bank, Mexico.
He also allegedly told Sony Pictures to remit a further US$ 5.5mn (the first broadcast payment for the England tour of Sri Lanka) to an account in the Hang Sang Bank in Hong Kong in the name of an entity called Fanya Silu Co Ltd. This was to be credited automatically to the Banamex Bank in Mexico, by way of an electronic wire transfer where money is sent to the final beneficiary’s bank account via an intermediary bank. The Criminal Investigation Department is investigating the fraud.
The NAO report states that “individual e-mail accounts and common e-mail accounts of Sri Lanka Cricket as a whole had been compromised”. “It is concluded that owing to the internal control weaknesses of the invoice process and information technology system of Sri Lanka Cricket, attempt had been made to pay US$ 11,565,350 (sic) to an account extraneous to Sri Lanka Cricket,” states the chapter related to the collection of income through the sale of international TV broadcast, radio internet, mobile (wireless) and sponsorship rights of Sri Lanka Cricket and examination of matters connected therewith or incidental thereto.
However, it is not clear how the Auditor General came up with the US$ 11,565,350 figure as the amount mentioned earlier was US$ 5.5 million, the first instalment for the home series against England. Also, the total amount due for the England series was US$ 11,128,809.
And, while it also remains unclear who the perpetrators of the attempted fraud are, the Audit Report recommends legal actions against “the officers responsible for the shortcomings” while, at the same time, claiming the SLC’s email accounts were compromised. It stops short of naming these officers but the Auditor General states he has no evidence to confirm that the Chief Executive Officer (CEO) and HoF “had been been unaware of this matter”.
The report is scathingly critical of the SLC’s IT policy which it says was neither strong nor proper. There was no data backup, data retention, comprehensive IT policy and BYON (bring your own device), contrary to what the SLC has claimed.
A report issued by the Computer Emergency Readiness Team (CERT) to support the forensic audit states that the IT Manager could have been aware of the entire operation or of sensitive information as he had access to all email accounts on the SLC’s email server. The IT manager is capable of viewing emails and deleting logs related to each user. He can read anyone’s emails and is able to understand the business flow and, if interested, how the organisation is operating. This was also highlighted in NAO report which will soon be tabled in Parliament.
“For example, the entire process from invoicing up to the collection of money by the Sri Lanka Cricket can be known at the same instance,” the Audit Report says. “Further, it has been confirmed by 9.2 of the CERT Report that he could set forwarder and he did not require the permission of the User for that purpose and according to 6.1, multi-factor authentication had not been enforced. Further, it has also been confirmed by 9.3 of the Report that the Manager of Information Technology can delete the User activity and he can log through nadeeshan.suriya@srilankakcricket.lk for that purpose. Likely, email logs related to the problematic period too had not been presented to the Audit.”
The Auditor General has recommended that a strong IT policy be implemented to avoid such occurrence in the future. “Necessary arrangements should be made to properly monitor all the e-mail accounts of the Institute, remove the significant settings in general operation, prevent the possible opportunities to examine details included in an e-mail message of a particular person without permission of the respective party, activate control system of the Multi Factor Authentication to the e-mail accounts and to preclude the deletion of e-mail messages included in the official e-mail account without proper approval,” the report states.
The attempted fraud came to light when Sony queried why it was required to deposit money in an account of Fanya Silu Co and not Sri Lanka Cricket. The sports body quickly suspended the instructions and the Criminal Investigation Department (CID) was assigned the case. The CID has made little progress though.
On July 4, 2018, the HoF issued instructions–copied to Chief Executive Officer Ashley de Silva–to Sony to transfer a sum of US$ 436,531.08 (the second instalment of the South African series) to SLC’s Bank of Ceylon (BoC). But on July 12, the HoF asked that the payment be made to a Wells Fargo account abroad. By then, however, the money was already in the BoC account.
Piyal Nandana Dissanayake, the HoF, has maintained consistently that his email was hacked. The SLC’s IT division repeatedly dismissed his position saying it had foolproof controls (Office 365 login). The CERT and the NAO reject this. They say SLC could have avoided the scam had strong IT policies been in place.
“At this point, it is hard to determine which side of this email accounts were compromised,” the CERT report states. “But it is clear that either Sony Pictures Network India (PVT) Ltd or Sri Lanka Cricket email accounts were compromised or may be even both the sides. More information on this can be gathered after reviewing Sony Pictures Network India (PVT) Ltd email accounts settings, email headers and email logs”.
“After going through the email settings, email headers and email logs of Head of Finance, CEO and Head of Finance’s Secretary, it is possible to determine that there have been a series of suspicious activities involved during the time period of 1st of July to 10th of August 2018,” the report says. “But due to the lack of email logs and system logs it is not feasible to identify the IP addresses of the suspicious activities with the date and time.”
Even though Microsoft 365 keeps email logs for 90 days, the IT department provided logs only for 30 days from August 12 to September 11, 2018. This has raised doubts in the NAO of a deliberate attempt to hide vital information.
However, the audit has failed to unravel who actually owns the three foreign accounts–two in USA and one in Mexico–alleged to have been opened under SLC. These accounts at Banamex Bank Mexico, Bbva Compass Bank and Wells Fargo Bank USA have been used for the alleged wire transfer fraud. SLC has denied having opened any accounts in foreign banks, although the SLC Secretary admits that the Board has given authority to their foreign representatives in United Kingdom and Australia to do so. This was however contradicted by SLC’s Chief Executive Officer at the court hearing and the report recommends that such authority should be granted only after proper evaluation and study in the future.