Techies logged into the M-Pesa server and sent requests to Safaricom PLC to fraudulently credit various M-Pesa mobile accounts, amounts totalling Sh 91,176,192.
| ShutterstockBusiness
Premium
How insider techies stunned top IT firm, banks with Sh91m M-Pesa heist
On June 21, 2018, a Kenyan multinational IT firm Craft Silicon Limited received an unusual call from Safaricom. On the line was an official of the giant telco, which had flagged a security breach on the IT firm’s systems, resulting in suspicious M-Pesa transactions.
True to Safaricom’s suspicions, Craft Silicon was moments later bombarded with more distress calls from a chain of banks, including Standard Chartered Bank, Credit Bank, Kingdom Bank, (formerly Jamii Bora Bank) and Kenya Women Finance Trust, which all reported suspicious activities on the IT firm’s mobile banking platform and urged it to investigate immediately.
Spooked by the breach Craft Silicon quickly scrambled an audit of its mobile banking system and confirmed cash leaks which were traced to one of its in-house software developers Gideon Mwangi Kabaru who was then summarily dismissed on July 30, 2018—triggering a legal battle that exposed how an illegally installed application on the IT firm’s M-Pesa server was used to siphon millions of shillings.
Fraudulent transactions
Court submissions showed that preliminary investigations revealed that there were fraudulent transactions initiated internally by Craft Silicon’s staff, including Mr Kabaru who had logged into the IT firm’s M-Pesa server, and installed an application known as key logger, under the Java application, to get the passwords of the users, who were authorised to access server.
The investigation further established that the key logger was installed by Mr Kabaru as the user.
“The claimant(Kabaru) and his colleagues, using the passwords obtained through the Java application, logged into the M-Pesa server and sent requests to Safaricom PLC to fraudulently credit various M-Pesa mobile accounts, amounts totalling Sh 91,176,192. The claimant was directly, or indirectly involved in this fraud,” said Justice James Rika in a judgment last week.
Craft Silicon in its court submissions said it hired an external investigator who concluded that there was malicious software introduced to its system through Mr Kabaru’s user name.
A final computer forensic investigation dated July 23, 2018, and submitted as an exhibit in court detailed how the heist was staged through manipulation of Craft Silicon’s systems on July 21, 2018.
The investigator found that various malicious software in the form of keyloggers, credential harvesters, and connection scripts to external internet protocol(IP) addresses, were installed in various machines. An IP address is a unique address that identifies a device on the Internet or a local network. In essence, IP addresses are the identifier that allows information to be sent between devices on a network and contain location information and make devices accessible for communication.
Work laptop
The exhibit report said usernames ‘default,’ ‘Michael,’ ‘Josephine,’ ‘administrator,’ and ‘Gideon. Kabaru’ were identified as responsible for the introduction of malicious software in Craft Silicon’s system. The user Gideon Kabaru was identified to have been compromised through a keylogger.
The investigator was, however, not able to pinpoint the individual responsible for the fraud, because a local user named Default, was created and used to introduce some of the malicious software used to facilitate fraud.
In his defence, Mr Kabaru claimed that he was away in Rwanda when the fraud took place and had nothing to do with it.
He said that he only came to learn of the breach on Craft Silicon’s M-Pesa server through his colleagues and not the company.
A cross-examination of Mr Kabaru, however, revealed he was aware of breaches on his official work laptop but did not disclose that to the company nor sleuths from the Directorate of Criminal Investigations (DCI) who had taken up the matter and even arraigned in a court in Kiambu.
“He did not immediately tell the DCI that his credentials were interfered with. He told them this after he was taken to their offices. He was aware that there was some tampering with his laptop. He did not adduce evidence before the court, to show that he reported tampering to his supervisor” said Justice Rika.
“He became aware of the investigation report in September 2018. The report was produced on the criminal case. The report concluded that the claimant’s credentials were compromised. His name was used. He was not interrogated by the DCI. He was only made to record a statement.”
Mr Kabaru however maintained his innocence and pointed the court to the forensic audit report that had allegedly exonerated him by failing to directly link him to the fraud.
Justice Rika, however, dismissed the accused’s claims saying the audit report did not contain such a conclusion.
“The court does not think that the claimant was exonerated. All that the investigator stated was that he was not able to pinpoint the individual responsible for the fraud, because a local user named ‘default,’ was created and used to introduce some of the malware used to facilitate fraud,” he said.
“There were, in the view of the court, multiple malware attacks on the respondent’s ICT system. The investigator was not able to assign individual responsibility, because there were multiple usernames used. This in the respectful view of the court, was not the same thing as finding that the claimant was not involved” said the judge.
The court, however, reprimanded Craft Silicon for irregularly dismissing Mr Kabaru from employment despite the M-Pesa heist.
It said while the employee’s dismissal was substantially fair and justifiable, it failed to meet the procedures laid out in the labour laws.
“While the claimant may successfully point to the investigation report’s inability to pinpoint the individual responsible for fraud, in his criminal case in Kiambu, the standard of proof of the reason for termination, under Section 43 of the Employment Act, is not proof beyond a reasonable doubt,” said Justice Rika.
“The employer is only required to show that the reason or reasons for termination of a contract are matters that the employer at the time of termination of the contract, genuinely believed to exist, and which caused the employer to terminate the services of the employee. The court is persuaded that the respondent met the evidential burden, under Section 43 of the Employment Act. Termination was substantively fair and justifiable,” said the judge.
Summarily dismissed
The court, however, ruled that the procedure used to sack Mr Kabaru was flawed. Court submissions showed that Craft Silicon held a meeting with Mr Kabaru on July 30, 2018, where it explained to him that the company could not retain him due to the fraud perpetrated by him, and he was summarily dismissed.
The court filings revealed that there was no letter to show cause, issued to the employee after the investigations. There were also no charges presented against the Mr Kabaru and there was no disciplinary hearing at all.
Curiously, Craft Silicon’s employee handbook, provides that a disciplinary inquiry shall be held in all cases that could lead to dismissal. It states that the employee must be notified in writing of the alleged offence, the date, time, and venue of the disciplinary enquiry, giving him at least 24 hours to prepare.
The IT firm’s handbook further states that an affected employee would be allowed the facility of representation and that there would be a window for mitigation at the close of the hearing before its chief executive communicates the final verdict to an employee.
Irregular sacking
“The meeting held on July 30, 2018, was not a disciplinary enquiry, contemplated by the respondent’s employee handbook. This internal procedure, which mirrors Sections 41 and 45 of the Employment Act, was disregarded. The claimant was just called to the office by the respondent on July 30, 2018, and issued the letter of summary dismissal,” said Justice Rika.
The court concluded that although Mr Kabaru was justifiably dismissed for his culpability in the M-Pesa fraud, he was entitled to compensation for the irregular sacking by his employer.
“He was largely responsible for the circumstances leading to the premature termination of his contract. His username was among the gateways used by fraudsters, to attack the respondent’s ICT infrastructure, and defraud the respondent a huge amount of money, in the sum of Sh 91.176,192. He did not honour his duty of trust, honesty, and confidence.
“The procedure, however, was deficient, and the claimant is entitled to compensation for unfair termination which the court grants, at the equivalent of one-month gross salary at Sh253,000,” said Justice Rika as he ordered that Mr Kabaru be issued with a certificate of service.
