COI Report – Part IV
Page 141 of 425
connecting to the SCM database. However, in his words, “this did not ring any
alarm bells in my mind”. Despite Benjamin having used the words IT incident, Ernest did not view these facts as constituting a security incident.
424. It is apposite at this point to note Ernest’s understanding of what constitutes a security incident’:
(M)y definition of a security incident is one where (a) there must be a
100% confirmation of malicious intent, and (b) the malicious activity must be successful i.e. an attempt is insufficient.
425. The emphasis here is on confirmation, both in terms of malicious intent and the success of the malicious act. Thus, to Ernest, collecting workstations for investigation was “a fairly common occurrence” that was “based on suspicion”, and did not amount to a security incident because it was not yet confirmed. Likewise, attempts to connect to the SCM database were mere attempts – unsuccessful, and therefore not security incidents.
426. On 19 June 2018, Ernest returned to work and checked with Benjamin verbally whether the forensic analysis of the endpoints was complete, to which Benjamin replied in the negative. On 20 June 2018, Ernest met with Lum and they discussed the events that had occurred. Lum informed Ernest that the LA. account had a weak password and could have been compromised, and that the password had already been changed. Since the password was changed, Ernest did not consider thereto be a reportable security incident.
427. In the period preceding 26 June 2018, it appears that there was no significant discussion between Ernest and Wee about the events of 11 to 13 June
2018. From 20 June to 3 July 2018, Wee was on medical leave, but he was able to look at the TigerConnect chat group “on and off”.
|
