For several months at least the computer system of the Financial Intelligence Analysis Unit worked with a simple log-in/password system for its security. Given the sensitivity of the money laundering investigations this Unit is responsible for that is staggering in itself. What is more amazing is that all staff shared a single password to log-in the system, a password less complex to crack than an expired bag of Twistees: “12:00”.
Notes on ongoing investigations into suspicious transactions, including a famous million dollar transfer into Pilatus Bank, and another transfer from the LNG tanker manufacturer to a famous Dubai company, were accessible to people who had nothing to do with the investigations. This was so even when the investigations had not yet been completed and signed off.
They were also accessible to people who had an interest in the investigations not reaching a conclusion.
Now it is impossible to boil down the mad single-password strategy to lack of awareness of basic information security needs. Even someone managing a small car rental business will want to know who logged in and out when and to have an audit trail of any manipulations to the data retained by the system.
The government is especially aware of cyber-security issues, as well it should be. The 2016 MITA strategy on cyber-security does not make especially gripping reading but in its way it is evidence government agencies are aware of the risks of operating entirely exposed to cyber-crime.
And the FIAU is not your average paper-piling bureaucracy. It’s a clear and present target to sophisticated criminals who are keen to cover their tracks or destroy evidence against them.
Some of those suspected criminals are prominent officers of the state: senior government officials investigated for laundering of money from illicit sources – briberies and kick-backs.
If using an office-wide shared password cannot be reduced to banal incompetence, you have to suspect intent.
One: a shared password creates doubt in the soundness of an investigation and is a card retained for anyone worried about where those investigations might lead to, to argue in a court of law that the findings may have been tampered with;
Two: A shared password environment creates uncertainty and suspicion allowing for the attribution of collective guilt if there are leaks or even collusion with suspects. Why would anyone want to allow that? Go back to one.
There has been spectacular turnover of employees at the FIAU at every level from the director down to lowly analysts. There rarely has been much explaining about what causes this unusual turnover. But it can be safely assumed that FIAU officers enjoy little confidence that they can fulfil their mission of policing money laundering without interference from people who may very well be acting on behalf of the suspects they are or should be investigating.
It would be re-assuring to know whether the FIAU has now adopted an individual signing-on procedure in place of the mess they had when Keith Schembri and Konrad Mizzi, among others, were in their staff’s sights.