WIPRO Embezzlement.. An IS Perspective
The Rs 20 crore embezzlement incident at WIPRO
reflects how a CMM 5 level Company with ISO 27001 audit certification and
other accolades can go wrong in implementing an effective Information Security
practice. This is not the time to gloat over the failure of a fellow IS
manager but time to introspect why the security breach occurred and where did
the controls fail.
What has happened today at WIPRO may very well happen in
any other organization as well. In Banking, we say that "Where there is money,
there will be fraud". Now that some of the IT companies hold cash on hand and
in Bank worth thousands of crores, they are as vulnerable to financial frauds
as any Bank. This incident should first of all make IT companies to understand
that "Money Management Skills" is part of a large IT company.
The incident marks not only a failure of the WIPRO IS
system but also the failure of its Statutory Auditors, HR Department, the
Bankers, Whistle Blowing policy etc.
As a part of the exercise to derive some lessons out of the
incident, let's explore the incident further based on the published
information about the occurence of the fraud.
Some of the facts that have come to the fore are that
1. A total of US $ 4 million was transferred from the WIPRO
Bank account to the personal accounts of one of the employees and his
relatives.
2.The transfers occurred over a period of 3 years in
amounts ranging from Ra 1 lakh to Rs 1.2 crore!
3.The employee was a chartered accountant who worked in a
department called "Controllership" responsible for authorizing payments and
maintaining the accounts of the Company.
4.According to the CFO of the Company, only one person was
involved in the fraud and he had stolen a password of another person to commit
the fraud.
4. A sum of US $ 2 million has since been recovered,
Employee suspended. The Controllership division has been disbanded. Company
says it will introduce job rotation in finance department. Internal
investigation is over. Some external assistance from auditors is also being
sought.
While the Company maintains that they have suspended the
erring employee but not filed a Police complaint, there is a rumour that the
employee has committed suicide. His body was reportedly found near the railway
track at K R Puram. He was supposed to be a CA topper and was being groomed
for more responsibilities. Is it only a suicide? or were anybody else involved
in the crime made it appear to be so? ..only an investigation by Police would
reveal. The fact that no Police complaint was filed opens up some questions in
this regard.
From the IS perspective one can clearly see the failures on
the following front
1. Use of Passwords for authorization instead of the
legally mandated digital signatures and using the same password for a
long time.
2. Not assessing the Cyber Offendo mania risk of the
employees
3. Not implementing the IS from the Techno Legal and
Behavioural Science perspective.
4.Not filing a formal complaint with the Police.
Let me elaborate on these aspects.
Non use of Digital Signatures:
Apparently Wipro's Bankers were making transfer of funds
from the Company's Bank account to individual accounts based on the password
based instructions. It is strange that individual transactions of upto
Rs 1.2 crore has been permitted based on the password based authentication. It
is not clear if the same password had been used all through the three years or
if the password was changed but stolen each time. If the same password was
being used, it would appear that the IS Policy was not being implemented and
auditors of all kinds had ignored the same.
We are all aware that ITA 2000 prescribed Digital
Signatures as a means of authentication of electronic documents and despite
RBI repeatedly advising Banks to use digital signatures or assume legal risk
for non usage, Banks continue to use passwords as means of authentication
which is not supported by Indian law.
More over Bank seem to have not noticed that money of large
value was being transferred by a single individual to other personal accounts.
The possibility of these being viewed as suspicious transactions either
because of usual Banking prudence or because of AML regulations was very high.
It would not be surprising if WIPRO may invoke the "Legal
Risk for Banks" under RBI's Internet Banking policy and contend that the loss
should be boarne by the Bank.
WIPRO being a supplier of many e-Governance products such
as e-Tendering systems which are PKI enabled, it is strange that it has not
been using PKI based system for financial transactions of the magnitude of
even 1.2 cores. There are no words to describe the callous attitude of the
Company in this regard. It seriously undermines the expertise of the Company
in financial and information security domain.
Refer article
"When
Banks in India don't use Digital Signatures, ..It would be a Clause 49 Non
Compliance" for more on the compliance requirements of Banks regarding use
of digital signatures.
Assessing Cyber Offendo Mania Risk
I refer to my earlier article
Compulsive Cyber Offence Syndrome, I had discussed a special kind of
Information Security Risk which I termed as Compulsive Cyber Offence Syndrome
(Cyber Offendo Mania) which was a psychological disorder in IT workers to
commit technology crimes under the notion of either anonymity or technology
intoxication. When powers were entrusted with an employee to withdraw upto Rs
1.2 crores on the technology platform, the risk had to be recognized. Remember
that even if the subject employee was not a fraudulent person, some body else
could have hijacked his sessions or accessed the password like what this
person himself did and transfer the money to a Nigerian Account!.
Every
organization is therefore recommended to have in place suitable Behavioural
Science assesments of their key employees to identify their propensity to
cross the proverbial yellow line. I agree that this is a developing idea and
the author may be one of the first to suggest such an assessment test.
But WIPRO being a market leader and a company which had earlier seen a
terrorist message emanate from one of its employees could have been reasonably
expected to take such innovative security measures when such thoughts emerge.
Non Implementation of the Information Security from the perspective of Techno
Legal and Behavioural Science Approach:
I refer to another of my earlier article
Three
Dimensional IT Security Model backed by the
Theory of IS Motivation Based on a Behavioural Science Approach (Also see
Theory of IS Motivation Clarified ) where I had explained a concept that
Information Security implementation is motivated by certain Behavioural
Science aspects such as Awareness, Acceptance and Inspiration besides the
technical and legal aspects. Under this approach it was recommended that all
employees are put through a programme for creating a Cyber Ethics culture
through training, ethical declaration and creation of champions to promote the
idea internally. WIPRO may review its HR systems to understand if there were
shortcomings in this respect.
Non Filing of Police Complaint
When a
major fraud of this nature has occurred and it has all the potential of
snowballing into a major scam, the Company's decision not to bring the
commission of the Cognizable offence to the knowledge of the law enforcement
is strange and gives room to many speculative doubts. Add to this the rumour
that the accused employee is no longer alive and found dead under mysterious
circumstances, as per some
comments found
at
http://economictimes.indiatimes.com/opinions/5582173.cms#top0
it appears that things may be more than what meets the eye.
It also raises doubts as to whether this was part of a
larger scam of misappropriation of company’s money, whether the internal audit
committee was negligent, whether the Statutory Auditors were negligent? etc.
After the way Satyam Scam surfaced, there is no way one can discount a
similar scam in any other company including WIPRO.
It was therefore necessary for the Company to have reported the issue to
the Police and if necessary facilitate a large scale investigation to examine
all the ramifications. Now that the fraud has come to the public domain,
Bangalore Police will be forced to call on WIPRO and start an investigation of
their own whether the Company likes it or not. Similarly, NASSCOM also may
need to take up its own enquires and also develop an advisory for its other
members.
Naavi
February 19, 2010
Related Article:
Hacking for US $4 Million at WIPRO
Comments are Welcome at
naavi@vsnl.com