COLOMBO (News 1st); The raging controversy in Sri Lanka over the missing data from the National Medicines Regulatory Authority (NMRA) database, has seen parallels being drawn with the Bond Scam of 2015. That scam too, began with an expose in the media, and at the start, the severity of what had taken place was not immediately clear.
In the case of the #DataScam as well, the enormity of its repercussions including the danger to national security is only now beginning to sink it and reveal itself. Today, as potential evidence of an ‘epic’ cover-up is being highlighted by politicians, religious leaders and industry experts alike, the public are perhaps feeling a sense of Déjà vu. So, News 1st has tracked the milestones of the #DataScam along with inside information to help you make sense of what could be, one of Sri Lankas worse white-collar crimes.
Let’s start at the very beginning. On the 3rd of May 2018, the National Medicines Regulatory Authority (NMRA) and Epic Lanka Technologies Private Limited (‘EPIC LANKA’) signed an agreement for a period of five years to provide and implement a document & workflow management system as a service for NMRA. Accordingly, the NMRA, termed as the employer was required to provide the Lanka Government Network (LNG 2.0) connectivity and On-site security, among other processes.
In addition, Epic Lanka Technologies was to provide 78 laptops, one LED monitor, and 10 wireless Laser Printers to the NMRA, with multiple sources have confirmed that the agreement is SaaS, or ‘Software as a Service’.
The NMRA, Epic Lanka and the ICTA – the consultant, had thereafter agreed on the Software Requirement Specification and concluded the process with a User Acceptance Test, where NMRA personnel had tested the system on-site in the presence of ICTA personnel.
The total contract price for the total period of 60 months was agreed at just over 29 Mill Rupees (Rs. 29,130,900/- i.e.- Rs. 485,515/- x 60). Until July 2021, for a period of 25 months the service was delivered.
That is, until the infamous #DataScam took place.
It is interesting to note here that, during the 25-month period progress review meetings had taken place between the NMRA, ICTA, and Epic Lanka Technologies every week on the system that was provided. According to inside sources, the architecture of the system provided to the NMRA does not specify an ‘official data classification’. Sources have confirmed that the system provided two storages, one main database and secondary attachments database or the file server. The main database is where all sensitive data on medicines and medical products are placed, and it is designed to go into auto-backup at midnight daily. The secondary database (File Server) with a capacity of around two terabytes was designed for the uploading of attachments to the sensitive material in JPEG or PDF format, sources have confirmed. The File Serve will also contain research material for medicines and medical products.
Sources told News 1st that the File Server is not a system agreed to have a backup, as it was designated to hold non-sensitive material and the matter was never flagged at the review meetings for the 25 months until July 2021.
During the first week of July 2021, the NMRA had called for an online support meeting and the requirement, accepted by Epic, was passed down to the team of engineers in charge of the system. Sources have confirmed that two days later, the NMRA had sent a system message claiming the File Server was not visible and a system inquiry had revealed that the Folder designated as File Server was MISSING.
An internal inquiry into the incident had revealed that the ‘unnamed systems engineer’ had executed the NMRA support required and given a ‘DELETE Command’ to the system. The Systems Engineer, let’s call him ‘Mr. X’, had executed the DELETE command during the weekend. Sources confirmed that the engineer claimed it was “a mistake” and he had deleted the Original File and not the Test File.
[Yes, that’s right. Here it is again: An engineer accessed one of the most secure servers in the country, and deleted one of the most sensitive file partitions, from one of the most sensitive databases, during a weekend].
Software Industry experts are gob smacked at the fact that the DELETE command was executed by an experienced engineer and are of the view that to execute a DELETE Command one has to get definite ‘instructions’.
Insiders have confirmed that following the deletion of files, the service provider had deployed two teams to carry out a forensic recovery process and had also given three options to the NMRA for the recovery of the missing files, however, the authorities had turned down these offers. It is also reported that during the same period when the files went missing, the Lanka Government Cloud was being updated.
Inside sources told News 1st that the service provider has requested for the Bitstream backups (also referred to as mirror image backups) of the system in order to recover the missing files.
Software experts have confirmed that though the DELETE command was executed, a forensic recovery will make it possible to recover the missing files via a ‘NODE RECOVERY’, where the node restore command restores the configuration of the local node from a configuration backup file.
[UPDATE: A subsequent ‘system maintenance’ carried out to the Lanka National Cloud by ICTA has made it unclear if this is now a possibility].
It is also established that The service provider had informed NMRA to be in the possession of the Disaster Recovery System.
Background- Why the ICTA can’t wash its hands off.
It was during this same period that on the 13th of January 2020, the Secretary to the President in a circular to all Secretaries of Ministries and Heads of Government Institutions said that government agencies are implementing IT bases solutions in isolation and were therefore directed to implement ICT/digital solutions under and overall management and supervision of the Information & Communication Technology Agency (ICTA) of Sri Lanka.
The circular makes it clear that ICTA cannot wash its hands off this very serious matter, which ultimately is about the security of sensitive data hosted on the Sri Lankan Government Cloud, a system that should be protected as a matter of National Security.
On the 02nd of March 2021, Secretary to the President in another circular noted that non-compliance of the circular was observed by several state institutions, and explanations were called from officials responsible for disregarding the instructions.
“On the 18th of February 2021, a discussion had taken place between the NMRA and the ICTA on the ‘Data Infrastructure Upgrade Solution’ for the NMRA. The discussion was raised at a board meeting several months later, however, it did not move forward from that point,” said Dr. Rasitha Wijewantha, the Chairman of the NMRA.
So according to the Chairman, a Disaster Recovery Plan was not important enough to be discussed and implemented for a system that involved data as important as the nation’s approved pharmaceuticals and medical devices. Internal sources have also confirmed to News 1st that teams are prepared to conduct a forensic recovery by accessing the Bitstream backups, however, the Sri Lankan authorities have denied access to the service provider.
It was only after that, that the authorities decided to file a complaint with the Criminal Investigations Department, leading to some startling revelations
On Wednesday (22), Opposition MP Harin Fernando, a former Minister of Digital Infrastructure said the eNMRA system is such that files cannot be deleted in one go but one which asks for repeated confirmation before deletion.
The MP told parliament that the engineer who executed the deletion of files had tendered in his resignation from Epic Lanka Technologies, a month before the #DataScam took place. (Sources also confirmed this to News 1st and insiders say the resignation was withdrawn pending CID investigation).
He further said there are serious concerns about the engineer’s next place of employment, indicating a company that ran a certain ‘Yes We Can’ campaign. The Minister added that among the records lost were documents submitted for urgent COVID care-related products tenders worth Rs. 10 billion.
The Million-Dollar question is, given the weight of evidence and questionable motives, why is the mystery engineer, still at large.
Deputy Solicitor General Dileepa Peiris had also informed the Colombo Magistrate’s Court that the deletion of data from the National Medicine Regulatory Authority’s database could be the result of a conspiracy hatched by the medical mafia that cashes in by importing medicines and medical devices.
This makes the answers to the questions below, a matter of national importance:
1. Why are authorities treating the Engineer concerned with kid-gloves?
2. Was the engineer in question influenced by an external party to execute the ‘DELETE command’ on the system? And if so, who is the ‘mastermind’ responsible for the #DataScam?
3. Why aren’t the authorities allowing Epic Lanka Technologies Private Limited to go ahead with the forensic recovery by re-writing the nodes to trace back the backup? Is this even possible, after ‘maintenance’ was carried out on the Lanka Govt Cloud, despite serious concerns against carrying it out given the circumstances.
The #DataScam cannot be seen solely as a case of missing or deleted data. It must be considered in the context of the Covid-19 pandemic and perhaps, several other allegations that have been made against importers of medicines and medical equipment. Was data deleted to hide something? Or, perhaps to erase the ability for investigators to discover that certain documents were never in the database to begin with?
Leave a Reply