NBR server breached, again
Cybercriminals have once again breached the National Board of Revenue's highly-sensitive server system and made away with at least 153 tonnes of goods worth crores of taka from the Chattogram port.
Like in the past, the fraudsters used the login IDs and passwords belonging to two customs officials to have nine consignments released. The scam took place between June and October this year.
In the process, nine importers evaded a large sum of duty -- the amount is yet to be estimated.
When their credentials were used, none of the two officials had authorisation to access the system. One of them was transferred to another location months ago while the other was on suspension over a bribery allegation, unrelated to this incident.
Investigations are underway, but both officials denied any link. Managing directors of two importing companies and the chairman of another did not respond to our calls and text messages. An official of a fourth firm declined to comment while five other importers could not be reached.
The breach has raised questions about the security of the server system. Once into the system, cybercriminals can issue duty-free release orders for any number of consignments.
This is the second known incident that scammers have accessed the NBR server -- known as Automated System for Customs Data World -- with unauthorised credentials.
Earlier in 2019, customs intelligence uncovered a series of breaches in the server between 2016 and 2018.
At the time, the cybercriminals had broken into the system using credentials of two other customs officials and released 3,337 consignments worth Tk 850 crore, according to an investigation by Customs Intelligence and Investigation Directorate (CIID).
Investigators had found that the Internet Protocol (IP) addresses used to access the system did not belong to the customs office. They were rather located in different areas in Dhaka and Chattogram where offices of seven C&F agents and two importers were located.
Two cases -- one by the Anti-Corruption Commission and other by the police -- are under trial in connection with that incident. The ACC case deals with the customs officials' alleged involvement while the police sued seven C&F agents and two importers for the forgery. Police had arrested four people in this connection. All four are now on bail.
After the 2019 breach, the customs authorities put in place a tougher credentials check and fixed some glitches. The authorities also issued an order to deactivate the IDs of officials immediately after their transfer.
But the latest breach shows that the IDs of the two officials were still active. It is not yet clear who used them or from where.
All the nine consignments were officially 'locked' by customs officials on information of irregularities. Consignments that are marked 'locked' must go through physical inspections before their final release from the port depot.
Kazi Muhammad Ziaul Haque, senior system analyst (IT) of NBR, said no one could use IDs and passwords without the involvement of the ID holders.
"Even the IT department of NBR is not able to know this password. However, anyone can access the NBR server from any part of the country if he can get an ID and its password," he said.
NBR and customs officials said they were still gathering information as to what exactly happened and how.
"We are trying to find it out. We cannot comment until we have more details," said Mizanur Rahman, deputy commissioner of Chattogram Customs House.
Documents obtained by The Daily Star show the nine consignments were released by submitting fake Import Permission (IP) papers from Bangladesh Export Processing Zone Authority (BEPZA) in order to get duty-free facility.
Import items of cent percent export-oriented companies are duty-free. To claim the benefit, importers must submit the IP issued by BEPZA.
With their own IDs and passwords provided by the customs authorities, importers and C&F agents can only upload import documents on the NBR server from any location in Bangladesh. They cannot change anything after the upload is complete, nor do they have access to any other files.
According to customs sources, the authorities had originally flagged 11 consignments of nine importers. Of the 11, nine were fraudulently released, and customs authorities managed to seize the two others at the last moment.
"As per the declaration, the nine consignments carried yarn, woven fabric and polyester fabric. Now, we cannot really tell what was there as we could not examine them. But I do not think anyone would use fake Import Permissions if their declaration was proper," said a customs official on condition of anonymity.
One official with direct knowledge of the investigation said they cannot even find some hard documents related to the nine consignments.
The consignments arrived from China, Hong Kong and the United Arab Emirate between June and October this year.
Eight of them were released by using the ID of Revenue Officer Amir Hossain, and the other by using Revenue Officer Zainab Begum's ID.
Contacted, Amir Hossain said, "Under the rule, the authorities were supposed to deactivate the user ID of the officials after transfer. I don't know why they didn't do it. I have nothing to do with this fraud."
Zainab said she was not aware of the misuse of her ID. "I have no idea about the forgery, and I don't know how my user ID was used."
Her ID was used on August 23, the day her suspension took effect, sources said.
Six of the nine importers are based in Dhaka EPZ and three in Ishwardi EPZ, according to their declaration papers.
The Daily Star called and sent messages to Abdullah Hil Rakib, managing director of Grameen Knitwear Ltd, Khandaker Moniruddin, managing director of Shanta Denims Ltd, and Mohammed Abdul Matin, chairman of Helicon Ltd. None of the three importers, based in Dhaka EPZ, responded yet.
An official of Tigerco Ltd, also a DEPZ-based importer, declined to comment.
The Daily Star could not reach the five other importers for comments.
All the nine importers hired C&F agent Prottoy International for unloading their shipments.
Its proprietor Md Hafizur Rahman said his business was based in Dhaka and that he worked through his local agents Mohammad Masud and Emon, who use his licence on a rental basis. "They could be involved with the unloading," he said.
Customs law does not allow use of licence on a rental basis.
Contacted, Masud and Emon tried to distance themselves from each other and said they were not involved in the unloading.
Customs Commissioner Fakhrul Alam said he ordered an investigation and vowed to take action against the culprits.
Comments