COI Report – Part IV Page 117 of 425 333. The DA. account was also used in the login attempts. This was an account belonging to an IHiS domain administrator. The account was not authorised to access the SCM database. On the evening of 11 June 2018, Katherine called the domain administator asking if he had attempted to access the SCM database, and he confirmed that he did not attempt to do so. Later that same evening, the domain administator changed the passwords to the DA. account. 334. At this stage, Katherine realised that it was not a test but was something unusual, because “[the domain administrators user-ID would not be used in testing the system”, and the domain administrator had confirmed that he had not tried to access the SCM database. She surmised that someone was trying to access the SCM database. However, as she had already escalated the matter to the Citrix administrators, she left it to them to followup with further investigations. 20.2 Detecting unusual logins to Citrix Server 1 using the LA. account 335. Upon reviewing the contents of Katherine’s emails, Lum and his team of Citrix administrators determined that (i) the attempted logins were made at the database-level and not through the SCM front-end application, and (ii) the IP address in question was assigned to Citrix Server 1. 336. On the understanding that a user would have to login to Citrix Server 1 before attempting to login to the SCM database, Lum tried to trace who had logged into Citrix Server 1 on 11 June 2018, in order to identify the person or persons who had attempted to login to the SCM database. 337. While there were many logins on that day, there were two logins which Lum saw as “unusual” – these were the logins using the LA. account. These were unusual to Lum as the LA. was not an account that staff would use in day- today operations.
