COI Report – Part IV
Page
123 of
425 21 EVENTS OF 12 JUNE 2018 21.1 Discovering failed logins to SCM database from Citrix Server 1 dating back to 24 May 2018 356. In the morning of 12 June 2018, Katherine provided Kelvin with the logs of failed logins to the SCM database dating back to May 2018, further to a request made by Kelvin earlier. These logs were subsequently
forwarded by Kelvin to Lum.
357. Katherine reviewed these logs, and noticed that in addition to the unusual failed attempts on 11 June 2018, there were a number of unusual failed attempts to login to the SCM database from Citrix Server 1 beginning from 24 May 2018. These were in fact the failed attempts discussed in paragraph 176 (pg 62) above. While Katherine would have received notifications of these failed attempts
around the time they happened, she had not noticed them earlier.
358. Although Katherine noticed now that there was a pattern of unusual failed attempts to login to the SCM database dating back to 24 May 2018, she did not take any further steps to report the matter or discuss this matter with anyone. She did not see a need to, given that Kelvin
and Lum had a copy of the logs, and she assumed that they would look into the matter.
21.2 Detecting further failed logins to the SCM database from Citrix Server 1 on 12 June 2018 359. In the afternoon of 12 June 2018, Katherine received system-generated database alerts showing a number of failed attempts to login to the SCM database from Citrix Server 1 earlier that day. As described in paragraph 179 (pg 63) above, these included the attempts made using accounts which had not been granted access to the SCM database. These emails
were forwarded to Kelvin, Robin and
Lum shortly after Katherine received them.
At that time, Katherine had in mind that these errors involved end-user accounts, and it was thus appropriate for
