The Immutable kBlog: thoughts on data integrity

Does the end justify the means? Der Spiegel reports a history in which Deutsche Bahn, the German-state owned rail service, is seeing how a new scandal grows, with the risk of implicating its top managers.

The German rail company is being accused of spying on almost all of its 227.000 employees for almost a decade. Part of a campaign to root out internal corruption -a very positive cause indeed-, the spying operation consisted on comparing “master data” (i.e. personal details) of over 170.000 employees, with information of around 80.000 external suppliers. This would show irregularities that might imply internal corruption. These investigations and comparisons have been going on at least three times (on 2002, 2003 and 2005).

It is now under investigation whether privacy laws have been broken or not. But even if Deutsche Bahn’s actions were legal, privacy is an extremely sensible matter in Germany because of its Nazi and Communist past. Surprisingly enough, this is not the first of such spying cases, with Deutsche Telekom in 2008 and Lidl grocery stores in 2007.

Under investigation as well is how aware of these proceeding were its top managers (including Deutsche Bahn’s CEO, Hartmut Mehdorn).

Once again, we are witnessing privacy and employee surveillance issues arise. Any organization is in its own right to safeguard its name, intellectual property, and even its trade and business secrets. But doing so correctly and stepping on their employees privacy are two different matters. Proper systems should be put in place in order to audit each and every action done within an organization, even by the most privileged users. This kind of systems (like the Kinamik Secure Audit Vault), would act as deterrent for any misuse that may occur, and accountability and full responsibility would be in place. It would protect both the organization and its employees: the organization would be protected since employees would think twice before doing any unappropriate or ilegal action knowing that each and every action is being recorded and archived. And employees would be protected since these audited actions would include also the actions allegedly done by Deutsche Bahn; any empoyee representative (e.g. union leader) could then run integrity reports and analysis on the audit trails for checking improper actions, and be sure that these reports can be unquestionably trusted.

This week’s Wall of Shame post is about the recent Satyam Computers’ scandal, the Indian IT outsourcing giant.

The scandal, reported extensively in the media, is the biggest-ever corporate fraud in the India’s history. Satyam’s former CEO, Ramalinga Raju, admitted he had been cooking the books of his firm for the last years. In his statement, Mr. Raju said that about $1bn (€0.75bn), reflecting 94% of the cash on the company’s books, was made up. The fraud he perpetrated was so large and complex that Indian business people are already calling it the “India’s Enron”.

But this immense fraud scandal does not end here. Just like in Enron’s case -in which one of the “Big Five” accounting firms, Arthur Andersen, was finished-, now one of the remaining “Big Four” is finding itself in the middle of this turmoil: PriceWaterhouseCoopers is in the spotlight.

Bloomberg.com reports that two PriceWaterhouseCoopers auditors have just been arrested, putting the auditing organization in the center of attention. It is the first time in India’s history that an auditor has been detained for failing to ensure a client’s financial integrity. PriceWaterhouseCoopers LLP may even face scrutiny in the U.S. after Satyam’s equities -listed in New York- lost 82% of their market value in two weeks.

Many implications arise out of this scandal. The first question that comes to mind is how such big fraud could happen without anybody noticing it. Although Mr. Raju claims that only few people knew about the scam, the country’s regulators, including Sebi and India’s Institute of Chartered Accountants, have promised an investigation. This will lead inevitably lead to stricter oversight of auditors; furthermore, analysts believe the rules governing independent directors will need to be tightened to force them to be more accountable. Also, questions are also being asked about governance at India’s other family dominated businesses.

Keyword here? Accountability. Once again, we see the need of an independent auditing platform for securing and making kind of sensitive data tamper-evident, like the Kinamik Secure Audit Vault. Having this kind of platforms in place acts as a deterrent: if any user (even the most privileged ones) has the certainty that his/hers trails are being “recorded”, and cannot be covered, the occurrence of these kind of scandals would be certainly lower. Users at all levels, up to the c-level will be accountable for their actions, and by counting with trustworthy and tamper-evident sensitive data of all the actions that took place, organizations could even protect the innocent by unquestionably proving not only what was done, but also that nothing has been changed.

You can read more about the Kinamik Secure Audit Vault here .

At Kinamik we firmly believe that guarantying the trustworthiness (read: integrity) of any set of data used in a GRC implementation will very soon become a key requirement. There are many elements that show us that this is particularly true (you can read about it here and here). All these elements could be seen as a “positive” proof that reinforces our view. But not all of the signs out there are positive… quite the opposite.

We are already seeing an increasing number of data manipulation scandals on front pages, and it is fair to think that many more are to come. So we have decided to participate in this public debate by commenting each time we hear about one of these cases.

The first post of this Wall of Shame series goes to the recent $350 million (265 million euro) Lloyds TSB agreed to pay to the US authorities after being charged of tampering and falsifying records so Lloyds TSB clients from Iran, Sudan and Libya could do business within the US banking system. By doing these modifications in the records Lloyds was violating the International Emergency Economic Powers Act, which allows blocking commerce with countries that were deemed a threat to the United States.

According to US prosecutors, the bank’s misconduct took place for over 12 years, between 1995 and 2007. Lloyds’ actions -known as stripping- meant faking or completely erasing information such as customer names, bank names and addresses so wire transfers can go undetected through filters at the US banks.

Lloyds TSB declared that they fully cooperated in the investigation, and said that they were “committed to running our business with the highest levels of integrity and regulatory compliance across all of our operations, and have undertaken a range of significant steps to further enhance our compliance programs”.

Indeed, an enhancement in their compliance program could have prevented the tampering of these electronic records by Lloyds’ employees. In fact, one the best ways of actually improving a compliance program is by making electronic records tamper-evident, so they could be unquestionably trustworthy, like the Kinamik Secure Audit Vault. By having this kind of system in place, a simple check-up on audit data may have detected that there was something wrong, and these kinds of actions would not have been undetected for over 12 years.

You can read more about this case here.