Sri Lanka Cricket’s (SLC) IT system was so badly protected that it was left wide open to hacking, the Computer Emergency Readiness Team (CERT) says in a detailed report issued to the National Audit Office (NAO). But it does not rule out the possibility of inside involvement in the alleged wire transfer fraud that took place last year […] The draft forensic audit says the IT manager could deliberately be hiding information. “We cannot rule out the possibility of an attempt by the IT manager to hide the information by not getting the emails logs for the maximum period,” the NAO’s own conclusions say.
According to the CERT report, the IT manager is capable of viewing emails and deleting logs related to each user. He can read anyone’s emails and is able to understand the business flow and, if interested, how the organization is operating.
“As mentioned earlier, this is a serious privacy issue because the IT manager can eavesdrop into the sensitive information,” CERT says. “For example, if the IT Manager of Sri Lanka Cricket wants to know how the invoices are generated in Sri Lanka Cricket it is possible to do so.”
“The IT manager is capable of adding email forwarders to anyone’s email account without getting into the user email accounts,” CERT has found.