If you had a place where you kept your barang-barang/bric-a-brac/bits-n-pieces, even detached, would you keep it unlocked/unlatched while latching and locking the rest of your home?
I was
actually planning a blog on the multi-billion-dollar money laundering case in
Singapore, when this piece of news came out in the open, the case of the
disgruntled NCS employee. Laundry can wait.
Some
facts as they have been released (1)
Background
1 NCS (2)
is owned by Singtel group
2 NCS focuses
on applications, cybersecurity, infrastructure and engineering
3 NCS
serves corporates, Telco (since is owned by Singtel) and more pertinently Government.
In fact, up to 66% of NCS $2.7B revenue was from government (3) and as recently
as this year NCS was still focused on government (4)
4 Singtel
is also a major player in GXS bank, together with Grab.
Mr
Nagaraju
5 Mr
Nagaraju was employed by NCS from November 2021
6 Mr
Nagaraju was fired by NCS in October 2022, with an effective last day of Nov 16
2022.
7 Mr
Nagaraju went back to India
8 Between
Jan 6 2023 and Jan 17 2023, Mr Nagaraju accessed NCS servers using
Administrator privileges 6 times.
9 Mr
Nagaraju found a new job in Singapore in February 2023 and came back to
Singapore, living with an ex NCS colleague
10 He used
the “wifi” and accessed NCS systems again in February 2023
11 In March
2023, a full 3 months after he had been fired, Mr Nagaraju accessed the NCS
systems 13 times and deleted some virtual servers.
12 Mr
Nagaraju was arrested in April 2023
13 He was
sentenced to 2 years and 8 months jail
14 NCS
apparently made a loss of SGD918,000.
The press reaction
Mainstream
media is portraying this case as a disgruntled ex-employee causing almost SGD1m
damage to the ex-employer. This misses the point.
Assuming
66% of NCS revenue came from government, that’s $1.7B that the government has
paid NCS in 2023 for services. Hence a lot of data that pertains to Singapore
residents, likely including Personally Identifiable Information, is kept in
systems possibly built (infrastructure and engineering), managed (applications)
and secured (cybersecurity) by NCS. This should be the story.
I am sure
some people will argue that the systems that Mr Nagaraju had access to were not
government systems but systems internal to NCS. Yes, but so what? If you
cannot keep your own house in order, how can you help keep someone else’s? What
type of governance does NCS have on it systems?
Think
about it:
1 Mr
Nagaraju accessed systems after he was fired, the HR system is likely not to be
properly integrated with the other systems. Also note, he was fired, he did not
resign voluntarily. This is really weird because in a previous project I was
involved in, we did have to integrate with an HR system to control accesses systematically.
2 He
accessed systems from India even. Hence there is no geographical restriction as
to who can access NCS systems. While this is a good thing to allow employees to
work from home or take care of emergencies, there should be some monitoring
taking place, not a half-yearly review after the horses have bolted.
3 It is not
mentioned whether he used an NCS device or his own personal device from India
to access the systems; personal devices can be secured and 3 months is past
most cases for reviewing accessed for personal devices. If he had an NCS
laptop, again, the processes to secure the devices failed, and the device access
was not cut.
4 He had
admin powers and admin credentials. Either, again, his ID’s access to systems
was not terminated, not something new. You would have thought lessons would
have been learnt. Or it was a shared ID and password, a major no-no in the IT
world. Basically NCS controls and governance on IDs and passwords and accesses
were severely lacking. Not that I am saying NCS was the IT vendor, but even in
2017 the AG reviewed 2 critical government services (Ministry of Defence
MINDEF, and Ministry of Manpower MOM, and Singapore Customs) and found similar
lapses in IDs (5)
In brief,
this case shows how bad the controls of NCS were. And I think it is legitimate
to ask how likely this culture has affected the projects for which they earned around SGD1.7B in 2023 from the government.
I am sure
nobody in SG has forgotten about the IHIS/SingHealth issues where even the then
PM’s data was searched (6).
To me,
focusing on close to SGD1M ‘losses’ to NCS is a red herring. And I would like
to ask, isn’t NCS aware of back-ups? Apparently NCS only discovered the servers
missing when someone tried to log into one of them the day after Mr Nagaraju
deleted it. SGD1M worth of damage, I would find it hard to believe unless there
are no back-ups. That would be another horror story on how NCS managed its
servers.
Conclusion
I think it is important to understand that the real story is not the SGD1M NCS supposedly lost, but the fact that their governance, processes and security practices leave much to be desired.
It's all about culture: is securing your company's assets in your blood?
Data is crucial, especially when more and more government services are moving online. We trust certain organisations to keep our data safe, and they choose vendors who, we hope, will do so. Personally, when I see a major vendor for these government organisations having a loose data culture, I fear for my data.
- https://www.channelnewsasia.com/singapore/former-employee-hack-ncs-delete-virtual-servers-quality-testing-4402141
- https://en.wikipedia.org/wiki/NCS_Group
- https://www.singtel.com/about-us/investor-relations/annual-report-fy2023/ncs-ceo-review
- https://www.zdnet.com/article/ncs-looks-beyond-government-singapore-for-transformation-growth/
- https://tnp.straitstimes.com/news/singapore/government-audit-finds-lapses-it-controls-unchecked-vendors
- https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most
No comments:
Post a Comment