COI Report – Part IV
Page
155 of
425 26.4 Terminating unusual queries to the SCM database 478. By this point,
Sze Chun and Katherine, being unsure who was running the ongoing queries, decided they should immediately
terminate the queries, and wait and see if they received any calls from any affected users or colleagues.
479. Later on 4 July 2018, further to discussions between IHiS staff including Henry, Kelvin,
Sze Chun, and Katherine, it was also decided that they would immediately terminate any similar queries as they may arise. A few more such queries were terminated over the course of 4 July 2018. Katherine and the Applications Team never received any calls from any users or colleagues complaining about terminated queries or sessions.
26.5 Attempts to locate Workstation Band linking up with Benjamin 480. At around the same time on 4 July 2018, Sze Chun took steps to ascertain the exact physical location of Workstation B. He was informed that Workstation B had been confiscated by the SMD, and was directed to Benjamin.
481. Sze
Chun then met with Benjamin, who informed Sze Chun that the workstation was not connected to the network, and was with the Security Management Department for investigations. Sze Chun then informed Benjamin that Workstation B had been detected as having
executed SQL queries to the SCM database on 4 July and showed Benjamin the details of the SQL queries that had been run from Workstation Band VM 1.
482. Seeing as Workstation B was with the CERT and could not have run the SQL queries, Benjamin thought that “
this could not be happening”, and wanted to immediately escalate the matter to Ernest.
483. The TigerConnect chat logs show that at around pm on 4 July 2018, Benjamin addressed Ernest in the TigerConnect chat group, stating
that he had met with Sze Chun, and that “
we really need to escalate into incident ... Seems