Â The Rs 20 crore embezzlement incident at WIPRO reflects how a CMM 5 level Company with ISO 27001 audit certification and other accolades can go wrong in implementing an effective Information Security practice. This is not the time to gloat over the failure of a fellow IS manager but time to introspect why the security breach occurred and where did the controls fail. What has happened today at WIPRO may very well happen in any other organization as well.
In Banking, we say that “Where there is money, there will be fraud”. Now that some of the IT companies hold cash on hand and in Bank worth thousands of crores, they are as vulnerable to financial frauds as any Bank. This incident should first of all make IT companies to understand that “Money Management Skills” is part of a large IT company.
The incident marks not only a failure of the WIPRO IS system but also the failure of its Statutory Auditors, HR Department, the Bankers, Whistle Blowing policy etc. As a part of the exercise to derive some lessons out of the incident, let’s explore the incident further based on the published information about the occurence of the fraud. Some of the facts that have come to the fore are that
1. A total of US $ 4 million was transferred from the WIPRO Bank account to the personal accounts of one of the employees and his relatives.
2.The transfers occurred over a period of 3 years in amounts ranging from Ra 1 lakh to Rs 1.2 crore!
3.The employee was a chartered accountant who worked in a department called “Controllership” responsible for authorizing payments and maintaining the accounts of the Company.
4.According to the CFO of the Company, only one person was involved in the fraud and he had stolen a password of another person to commit the fraud.
5. A sum of US $ 2 million has since been recovered, Employee suspended. The Controllership division has been disbanded. Company says it will introduce job rotation in finance department. Internal investigation is over. Some external assistance from auditors is also being sought. While the Company maintains that they have suspended the erring employee but not filed a Police complaint, there is a rumour that the employee has committed suicide. His body was reportedly found near the railway track at K R Puram. He was supposed to be a CA topper and was being groomed for more responsibilities. Is it only a suicide? or were anybody else involved in the crime made it appear to be so? ..only an investigation by Police would reveal. The fact that no Police complaint was filed opens up some questions in this regard.
From the IS perspective one can clearly see the failures on the following front
Â 1. Use of Passwords for authorization instead of the legally mandated digital signatures and using the same password for a long time.
Â 2. Not assessing the Cyber Offendo mania risk of the employees
3. Not implementing the IS from the Techno Legal and Behavioural Science perspective.
4.Not filing a formal complaint with the Police.
Let me elaborate on these aspects.
Â Non use of Digital Signatures:
Apparently Wipro’s Bankers were making transfer of funds from the Company’s Bank account to individual accounts based on the password based instructions. It is strange that individual transactions of upto Rs 1.2 crore has been permitted based on the password based authentication. It is not clear if the same password had been used all through the three years or if the password was changed but stolen each time. If the same password was being used, it would appear that the IS Policy was not being implemented and auditors of all kinds had ignored the same.
We are all aware that ITA 2000 prescribed Digital Signatures as a means of authentication of electronic documents and despite RBI repeatedly advising Banks to use digital signatures or assume legal risk for non usage, Banks continue to use passwords as means of authentication which is not supported by Indian law.
More over Bank seem to have not noticed that money of large value was being transferred by a single individual to other personal accounts. The possibility of these being viewed as suspicious transactions either because of usual Banking prudence or because of AML regulations was very high.
It would not be surprising if WIPRO may invoke the “Legal Risk for Banks” under RBI’s Internet Banking policy and contend that the loss should be boarne by the Bank. WIPRO being a supplier of many e-Governance products such as e-Tendering systems which are PKI enabled, it is strange that it has not been using PKI based system for financial transactions of the magnitude of even 1.2 cores.
Â There are no words to describe the callous attitude of the Company in this regard. It seriously undermines the expertise of the Company in financial and information security domain.
Refer article “When Banks in India don’t use Digital Signatures, ..It would be a Clause 49 Non Compliance” for more on the compliance requirements of Banks regarding use of digital signatures.
Assessing Cyber Offendo Mania Risk
Â I refer to my earlier article Compulsive Cyber Offence Syndrome, I had discussed a special kind of Information Security Risk which I termed as Compulsive Cyber Offence Syndrome (Cyber Offendo Mania) which was a psychological disorder in IT workers to commit technology crimes under the notion of either anonymity or technology intoxication.
When powers were entrusted with an employee to withdraw upto Rs 1.2 crores on the technology platform, the risk had to be recognized. Remember that even if the subject employee was not a fraudulent person, some body else could have hijacked his sessions or accessed the password like what this person himself did and transfer the money to a Nigerian Account!.
Every organization is therefore recommended to have in place suitable Behavioural Science assesments of their key employees to identify their propensity to cross the proverbial yellow line.
I agree that this is a developing idea and the author may be one of the first to suggest such an assessment test. But WIPRO being a market leader and a company which had earlier seen a terrorist message emanate from one of its employees could have been reasonably expected to take such innovative security measures when such thoughts emerge.
Non Implementation of the Information Security from the perspective of Techno Legal and Behavioural Science Approach:
I refer to another of my earlier article Three Dimensional IT Security Model backed by the Theory of IS Motivation Based on a Behavioural Science Approach (Also see Theory of IS Motivation Clarified ) where I had explained a concept that Information Security implementation is motivated by certain Behavioural Science aspects such as Awareness, Acceptance and Inspiration besides the technical and legal aspects. Under this approach it was recommended that all employees are put through a programme for creating a Cyber Ethics culture through training, ethical declaration and creation of champions to promote the idea internally.
WIPRO may review its HR systems to understand if there were shortcomings in this respect.
Non Filing of Police Complaint
When a major fraud of this nature has occurred and it has all the potential of snowballing into a major scam, the Company’s decision not to bring the commission of the Cognizable offence to the knowledge of the law enforcement is strange and gives room to many speculative doubts.
Add to this the rumour that the accused employee is no longer alive and found dead under mysterious circumstances makes one wonder if there was something more than a simple fraud in the case. The doubts that arise are, whether there were others involved in the incident, whether this was part of a larger scam of misappropriation of company’s money, whether the internal audit committee was negligent, whether the Statutory Auditors were negligent? etc.
After the way Satyam Scam surfaced, there is no way one can discount a similar scam in any other company including WIPRO.
It was therefore necessary for the Company to have reported the issue to the Police and if necessary facilitate a large scale investigation to examine all the ramifications. Now that the fraud has come to the public domain, Bangalore Police will be forced to call on WIPRO and start an investigation of their own whether the Company likes it or not. Similarly, NASSCOM also may need to take up its own enquires and also develop an advisory for its other members.