Namfisa was hacked
It is alleged that neither the Namfisa board nor the forensic investigating team thought it prudent to properly investigate security breaches at the regulator.
31 August 2017 | Crime
This accusation is made in an affidavit by the Public Accountants' and Auditors' Board (PAAB) in its court challenge against chartered accountant Hans Hashagen.
The Namfisa board was then under the chairpersonship of Rick Kukuri. Other board members were Baronice Hans (deputy chairperson, who resigned from the board in April 2009), Iipumbu Shiimi (current governor of the Bank of Namibia), Tia Chata and Titus Iipumbu.
In February 2009 the board allegedly instructed the termination of the services of a forensic investigator. It is also accused of having “purposefully” discarded crucial evidence gathered by the investigator.
This evidence included security system files that had been purposely deleted.
At the time, the IT service provider to Namfisa was a company called SALT, of which the board chairperson was Tega Shiimi ya Shiimi.
Ya Shiimi at the time was also the managing director of Sanlam Investment Manager (SIM), as well as a director at Sanlam.
Both Sanlam and SIM are regulated by Namfisa, which is the watchdog of the non-banking financial sector.
Important to note is that SIM at the time facilitated the bulk of the transactions on behalf of the Government Institutions Pension Fund's (GIPF) Development Capital Portfolio (DCP) investment loans that saw the GIPF losing hundreds of millions of dollars.
These transactions at the time were being investigated by Namfisa under the leadership of its former CEO, Rainer Ritter.
It is alleged that on 27 October 2008 an employee of SALT, Chris Baisako, had sent an email to Namfisa's IT manager, Petrus Kafidi. The email contained screenshots of emails received and sent by Namfisa managers and senior employees.
These senior managers and line managers were Ritter, Lily Brandt (general manager of finance and administration), Ebben Kalondo (communications manager), John Uusiku (former manager of the pensions fund department) and Adrianus Vugs (manager: risk and policy).
Ernst & Young and Hashagen's forensic report into alleged misconduct at Namfisa stated that Brandt and Kafidi were asked to look into these emails.
EY's conclusion on the matter was that the screenshots allegedly found on Kafidi's computer could be explained by Brandt and Kafidi and that it seemed to have been “within the ambit” of Kafidi's duties.
The EY report did not mention the service and confidentiality agreement between Namfisa and SALT, and no information was sought from Baisako on why he had accessed emails of the regulatory body.
Also questioned is how the EY report could conclude that “snooping” into senior managers' email correspondence could be regarded as within the ambit of the IT manager's duties.
Furthermore, SALT's interest in the internal email correspondence between the senior Namfisa staff remained unanswered.
Neither was it explained what authority Brand had to allow SALT to intercept, copy or distribute internal emails of senior staff, since she was not concerned with regulatory investigations.
The EY investigating team is said to have had all the information pertaining to this, and other, matters, yet it allegedly failed to properly report or investigate these, the result of which was Ritter's eventual exit from Namfisa.
Prior to the EY forensic investigation, Ritter had given two reports to the Namfisa board that pertained to security issues experienced on the Namfisa premises during 24 hours in November 2008.
These reports alleged that between 15:30 on 12 November 2008 and 08:00 on 13 November 2008 the Namfisa forensic IT server was hacked and data relating to two investigations the regulator was conducting was likely removed.
The reports said it was likely that other files had also been removed because a removable device containing critical data was destroyed.
It stated that five databases were probably copied from the server and access privileges had been changed on the rest of the system.
SEQUENCE OF EVENTS
The report to the Namfisa board stated that on 12 November 2008 at around 15:30 the network became “completely inoperable” on a large section of the first floor and the forensics room at Namfisa's premises in the Sanlam building.
At the time Kafidi allegedly could not be reached by telephone.
At about 08:00 on 14 November 2008 it was discovered that the server software was inoperable and the hacking was revealed.
It was then recommended that Namfisa should get higher-level physical and logistical security and more secure locking systems for the forensic room.
Already by July 2008 it had been observed that the Namfisa network and computing system could have been accessed from outside with minimal effort. In short, the Namfisa network was found to have been insecure and open to the world.
A report in December 2008 said SALT, an external organisation, was managing an email server and that all emails were compromised and harvested for at least seven months.
It is alleged that SALT at some point had removed all security barriers between Namfisa and SALT, which effectively exposed Namfisa to other SALT clients and the entire world.
At the time, a high level of outward data traffic from personal computers was observed via data mining software “planted” on the computers while the network was compromised.