Embezzlement at Wipro

Wipro is a company I strongly admire and (unfortunately) has been hit by an insider. This is the second most admired company of mine I have to write about. Had written about TCS's web defacement earlier and now Wipro's loss. Both companies with strong Security and Risk practices, hit by that known unknown - a insider and a hacker!
Just read about a $ 4 m embezzlement carried out by a Wipro employee working in their finance department Apparently this person was a three year old employee and was in the 'controllership' division of the finance department which is a pretty powerful cell. They hold books of accounts and have the powers to authorize payments.

According to the report the fraud was perpetrated using a stolen password and using it to transfer funds to his account which he then splurged. Apparently the amount siphoned out ranged from Rs. 100,000 (~$ 2100) to Rs. 12,000,000 (~$ 250,000)

And I must make my observations here ! So here goes....

- Kudos to Wipro to make a disclosure ! We do not see this happening and this is a break. Of course there are regulatory requirements which they have to adhere to. However, whatever may be the driver, I am glad they made the disclosure.
(I do feel sorry for their InfoSec team)

- What I do not understand is how can one person use a stolen password to siphon out money from the company account. Does this mean that only one password was sufficient to authorize transfers ? Or maybe it was this guy's password plus the stolen one that did the trick ? Still, is there no balancing done at the end of a week or by the persons who are authorizing transactions.

- There must be a limit set for each person who is authorized to transfer money - did it range from $ 2K to $ 200 K !

- Apparently this gent did not do the transfers in one day and has been at it for quite some time since he has invested in property too which is not something you buy off-the-shelf. So all this time while he has been dipping into the pot, no one sees good things happening to him and there is no change in his lifestyle to raise any alarm bells in the department ?

- The article quoted below does ask about security policies and has no answers to provide.

- They have been able to recover half the money and the statement tries to make it look like a small amount. Folks a million is not small change :)

...... wish the folks in their InfoSec team the very best and hope they get on top of the few controls that are missed out.

I plan to write about old world and new world habits and how things are different and how we can make systems more robust by just leaning on our heritage. Keep a look out for this !

ET covered this incident....


Update 2/19/2010

PC World

The PC World article says the fraud had been going on for a year, Excuse me ! So this guy had a stolen password and was using it for a year and the password owner did not know and the password did not change in this year and no one did any reconciliation or account balancing.... hello .... is there something more than meets the eye here ?

Labels: , ,