NBR server breach: Probe leaves puzzles

A probe report on the breach of NBR server that saw the release of 11 import consignments last year has raised more questions than it answered.

Despite finding irregularities in every step, from import to unloading, it gave clean chit to the customs officials who had their signatures on release and assessment documents of the consignments.

The 48-page report also did not recommend legal action against any of the importers although it observed that four of them "can't avoid their liabilities".

Between June and October last year, cybercriminals broke into the highly sensitive server of National Board of Revenue, using the login IDs and passwords belonging to two customs officials.

In the process, nine of the consignments were released and the fraudsters made away with at least 153 tonnes of goods worth crores of taka from the Chattogram port, also submitting fake documents. 

Customs authorities, however, managed to seize two other consignments at the last moment.

The nine consignments were released evading a large sum of duty -- the amount could not be estimated. As per the declaration, they contained yarn, woven and polyester fabrics, the duty of which is around 89 percent.

The Daily Star published a report headlined "NBR server breached, again" on November 15 and the Chattogram Custom House later formed a probe committee, which submitted its report on January 16 this year.

The probe report did not provide any information about the IP addresses used by the cybercriminals, the physical examination reports of the consignments, the list of vehicles that carried the goods, and the current location of the empty containers.

The Daily Star has obtained a copy of the report recently.

When the scam took place, the two IDs used by the criminals to enter the system were supposed to be inactive. One of the officials got transferred while another was on suspension over bribery -- so none had the authorisation to use the IDs.

Yet the committee didn't hold anyone responsible for the IDs remaining active.

After investigating for two months, the probe body recommended filing a forgery case against two officials of Prottoy International, the clearing and forwarding (C&F) agent for releasing the 11 consignments on behalf of the importers.

This was the second cyberattack on the NBR server after a gang had similarly released about 4,000 consignments using the active IDs of two former customs officials in 2019.

Experts fear the main culprits will go unpunished if some pertinent questions are not answered. They also termed the probe report incomplete and an apparent attempt to protect the culprits.

The probe, however, found discrepancies between the information in shipping documents and customs documents. The fraudsters also submitted fake import permission copies, shipping agents' papers and product lists, the report said.

The import permission numbers also did not match with shipping and customs documents.

"The forgery could have been averted had the port and customs officials properly checked the documents and also verified the authenticity of the import permission," the report observed.

THE IMPORTERS

Nine companies, whose names surfaced over the import of 11 consignments before the probe, in written statements to the committee claimed they were not involved in the forgery. They also denied any wrongdoing when contacted by this correspondent.

Four of the companies -- Grameen Knitwear Ltd, Shanta Denim Limited, Kong Keng Textile (Bangladesh) Co Ltd and Actor Sporting Limited -- "can't avoid their liabilities" as both the shipping and customs documents for four consignments were submitted in their names, the report said.

It, however, did not recommend any punishment against the four companies except for "monitoring their future import activities".

The probe committee cleared MGL Company BD Limited, Helicon Limited, Gold Shine Industries, Tigerco Limited and Brothers Plastic Industries Limited -- who were named only in customs documents for seven consignments.  The authorities could prevent release of two of the seven consignments.

Interestingly, five other companies were named as importers in shipping documents, which the committee found authentic.

They are Electro Pack, Hassan & Brothers, ARH Knit Composite Limited, Medina Corporation and Ma Stretch. Of them, Electro Pack responded to the inquiry committee hearing.

Regarding the four absentees, the probe body recommended their explanations be sought.

The Daily Star could not reach these five companies but learnt that they were not named in customs documents.

Proprietor of Prottoy International Md Hafizur Rahman said he had filed a case against some of his staff with Chattogram Bandar Police Station after being informed about this forgery.

"They have committed irregularities using my licence," he told The Daily Star.

Customs law does not allow use of licence on a rental basis.

UNANSWERED QUESTIONS

The committee did not mention anything about nine documents which reportedly went missing from the Customs House. 

The probe committee could have obtained copies of the missing documents from alternative sources, said customs insiders.

The committee ignored the issue of finding the internet protocol (IP) addresses of the scammers who entered the NBR server. An IP is a unique address that identifies a device on the internet or a local network.

Regarding the server breach incident in 2019, the NBR investigation committee was able to identify seven cybercriminals by collecting IP addresses.

The probe report for last year's scam also did not reveal which officers were involved in physical testing of the consignments all the way to the last stage of releasing goods.

Besides, the customs have no information about the whereabouts of empty containers although those were supposed to be returned to customs depots 15 days after goods reached the destinations.

The investigation committee did not collect the information of the vehicles that carried those consignments from the port although the gate officials have detailed information about those transport companies.

By ignoring this, the insiders said, the probe body wasted an opportunity to get an idea about the destinations of the goods.

Then there is the issue of IDs of the two officials.

"The ID of a transferred officer should not be active unless those in charge of IT section are negligent or involved," former NBR officer Maruful Islam told The Daily Star.

Maruful, also former commissioner of Chattogram Customs House, said, "I retired eight years ago and my ID was deactivated immediately."

Tafsir Uddin Bhuiyan, the convener of the probe committee, acknowledged that it would have been better to have these issues in the report.

He, however, does not think that the main culprits would be able to escape.

"We could not look into these issues due to lack of time and other limitations," said Tafsir, also joint commissioner of Chattogram Customs House.

Customs House Commissioner Fakhrul Alam said it was not possible to identify the main culprits and the destinations of the goods in the investigation due to some limitations.

"However, I believe it will come out in the police investigation."

Iftekharuzzaman, executive director of Transparency International Bangladesh, said, "It is frustrating that the main culprits remain unidentified due to poor customs investigations."

In order to prevent recurrence of such crimes, he added, it is indispensable to bring to justice all three parties -- the C&F agents,  customs officials and the importers who are the principal beneficiaries of the illegalities.