Month: March 2019

On March 7, The Times reported on the efforts of professional services firm Ernst & Young to access the CA$180 million (US$133.9 million) in investor funds that Gerald Cotten, the late Chief Executive Officer of cryptocurrency exchange QuadrigaCX, had reportedly placed in an offline “cold wallet.”  Cotten, who died suddenly in India in December 2018, was believed to be the only person who knew the password or recovery key to the cold wallet.  At the behest of the Nova Scotia Supreme Court, from which QuadrigaCX sought creditor protection, Ernst & Young reviewed electronic records of funds going in and out of QuadrigaCX.

Ernst & Young reportedly has now found “that all the funds had been withdrawn in April [2018], months before Cotten died.”  It identified 14 accounts, which Cotten created using “various aliases,” that were used to trade on QuadrigaCX “and possibly to withdraw money for transfer to other exchanges” . Ernst & Young is now contacting those exchanges “to see if they can find any evidence of the money from the 14 accounts deposited with them.”

Those who entrusted their funds to Cotten – already irate that Cotten’s widow, Jennifer Robertson, this week requested reimbursement of CA$225,000 in court fees – must be both heartsick and hopeful about the Ernst & Young information.  For now, they should take comfort from Spenser’s line in The Faerie Queene: “ . . . there is nothing lost, that may be found, if sought.”  If their investments were transferred to other cryptocurrency exchanges or other financial institutions, those funds should be further traceable, and the individuals and entities who effected the transfers available for questioning – by both investors’ attorneys and law enforcement authorities.

On March 5, the Wall Street Journal reported that Chinese hackers have targeted 27 universities in the United States and other countries “as part of an elaborate scheme to steal research about maritime technology being developed for military use,” according to cybersecurity experts and current and former U.S. officials.

A report by cyber security firm iDefense found that a total of 27 universities – including Duke University, the Massachusetts Institute of Technology, Pennsylvania State University, and other universities in Canada and Southeast Asia – had been targeted by the hackers, based on the fact that those universities reportedly “either studied underwater technology or had faculty with relevant backgrounds.”  Some of the universities reportedly have been working on underwater communications technologies, and MIT in particular “conducts research on warship design.”

The iDefense report noted that the hackers used a simple and time-tested attack technique, “sen[ding] universities spear phishing emails doctored to appear as if they came from partner universities, but they unleashed a malicious payload when opened.”  According to The Times, the hacker group in question, known variously as APT10 and Temp.Periscope, “has also tried to infiltrate computer networks of companies involved in chipmaking, advanced manufacturing and industrial processing . . . [and] is thought to be behind the [2018] theft of missile plans from a US naval contractor.”

Note: These cyberattacks on universities are only the latest manifestation of the sustained offensive that Chinese hackers have directed at the United States and other countries in pursuit of military and trade secrets and other intellectual property.  These latest reports should prompt Chief Information Security Officers and Chief Compliance Officers to take two actions:

• First, use these attacks as illustrations in new cybersecurity warnings to employees about spear-phishing attacks and the risks to the company from opening such messages;
• Second, update information-security due diligence for third-party providers (including law firms) and joint-venture partners with which the company is sharing sensitive data for business reasons.

Unfortunately, the increasing sophistication of Chinese hacker teams in recent years means that cybersecurity teams in companies and agencies must base their cyberdefense planning on the Red Queen’s advice: “ . . . it takes all the running you can do to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!”

Today, The Times reported that leading German automakers BMW, Daimler, and Volkswagen “are facing fines of up to €50 billion as the European Commission [(EC)] investigates claims that they conspired as a cartel to cover up their cheating on diesel emissions.”  The article cited a report that Margrethe Vestager, the EC Commissioner who oversees the Directorate-General (DG) for Competition, is preparing to send the three companies “a formal letter of complaint that would be a prelude to heavy penalties.”  Once the EC completes its work, reportedly in the spring of 2019, the penalties it could levy under EU competition law could be as much as “10 per cent of each company’s annual turnover, which last year amounted to a combined total of nearly €500 billion.”

The Times explained that “German prosecutors suspect that the car manufacturers not only systematically gamed pollution tests on their diesel engines but also colluded over at least eight years to conceal their actions from the authorities.”  According to The Times, the German business newspaper Handelsblatt obtained a substantial quantity of emails indicating “that the three carmakers were aware that their vehicles were emitting illegal levels of nitrous oxide and nitrogen dioxide at least 12 years ago.”  Although German automotive engineers had devised a method of reducing those levels by washing a cleaning fluid known as Adblue through a car engine after the combustion process, “this method turned out to be prohibitively expensive and left potentially damaging residues in the machinery.”

This reportedly led to a “crisis meeting” in Munich between representatives of the three German companies in 2007.  The representatives “allegedly made a pact to limit their use of Adblue and to cover up their tracks,” as reflected in various emails, such as:

• An email circulated within BMW after the meeting “is said to have included a warning that its contents should ‘by no means be shown to the authorities’.”
• In January 2008, an Audi manager “allegedly wrote to his colleagues in an email with the subject line Adblue consumption: ‘My verdict: we won’t make it without cheating’.”
• A subsequent email in 2008 by “another senior developer at Audi apparently warned Volkswagen executives that the Adblue taskforce’s conclusions were ‘not to be mentioned in any way’ to American environmental regulators.”

Handelsblatt also stated that the three companies, seeking to expand their U.S. market share, reached an agreement to put smaller Adblue tanks in their vehicles.

Note: The DG-Competition investigation, which began in September 2018, appears to be part of a broad-based enforcement program by the EC directed at cartel behavior in the German automotive industry.  Just yesterday, the EC announced that it was fining Autoliv and TRW, two car safety equipment suppliers, a total of €368,277,000 ($416,851,000) for their participation in two cartels for the supply of car seatbelts, airbags, and steering wheels to the Volkswagen and BMW Groups.  The EC stated that because those two carmakers sell approximately three out of every ten cars bought in Europe, the cartel behavior “is likely to have had a significant effect on European customers.”

Even though Commissioner Vestager has yet to make a final decision regarding the three German automakers’ own cartel behavior, both she and the companies must be mindful that in its emissions-cheating scandal, Volkswagen paid a total of $25 billion in fines, penalties, and restitution in the United States, but nothing to authorities in Europe, where it sold nearly 14 times as many diesels.  The DG-Competition will likely have little patience with the three companies’ allegedly compounding diesel-emissions cheating with concerted action to conceal that cheating.

On March 4, APWG (formerly the Anti-Phishing Working Group released its report on phishing trends for the fourth quarter of 2018.  The report included the following key trends and developments:

• Phishing Sites: In Q4, APWG detected 138,328 phishing sites. This continued the steady decline in phishing sites over Q1 (263,538), Q2 (233,040), and Q3 (151,014), and amounts to only 52 percent of the Q1 total.  As was the case in Q3, APWG members still detected an increased number of redirectors before the phishing landing page, and after the victim submitted his or her data, “in an effort to obfuscate phishing URLs from detection.”
• Phishing Reports: In Q4, 239,910 phishing reports were submitted to APWG, slightly lower overall than Q2 (262,704) and Q3 (264,483).
• Most-Targeted Industry Sectors: According to MarkMonitor data, phishing that targeted software as a service (SaaS) and Webmail services’ brands increased dramatically, from 20.1 percent of all attacks in Q3 to nearly 30 percent in Q4. In contrast, attacks against cloud storage and file hosting sites continued to decrease, from 11.3 percent of all attacks in Q1 to 4 percent in Q4.
• Use of Domain Names for Phishing: 6,718 confirmed phishing URLs reported to APWG in Q4 were hosted on 4,485 unique second-level domains.  The highest-ranked Top Level Domain (TLD) used for phishing was the legacy globalTLD .com, which accounted for 2,098 unique domains for phishing.
• Use of HTTPS Encryption Protocol: APWG contributor PhishLabs found that in 4Q, for the first time since it began measuring use of the HTTPS encryption protocol by phishing sites, the number of phishing sites protected by HTTPS fell slightly to 47 percent of all phishing sites. That 47 percent, however, is still the second-highest percentage (other than 3Q 2018) since Q1 2015.
• Phishing Kits with “Black Friday” Theme: In November 2018, Brazil-based firm Axur saw

phishing kits being sold with a Black Friday [November 23, 2018] theme. Phishing kits are software packages that allow a phisher to set up phishing sites, send out spam messages to lure in victims, collect the data from the victims, and other useful capabilities. This kind of phishing is very popular in Brazil during the week preceding Black Friday and it affects the country’s main e-commerce companies.

Note: Chief Information Security Officers (CISOs) and Chief Compliance Officers (CCOs), should share this information with their respective teams.  Because cybercrime techniques change so quickly, information that identifies critical trends affecting particular business sectors needs to disseminated quickly as well.

Within the past week, The Telegraph published several articles reporting on two issues involving compliance and governance at digital bank startup Revolut Ltd.  First, on February 28, it reported that the London-based firm, which offers a variety of retail financial-services products through its app, had failed “to block thousands of potentially suspicious transactions on its platform, due to Revolut’s switching off an automated system designed to stop dubious money transfers” between July and September 2018.  The report speculated that “thousands of illegal transactions may have passed through [Revolut’s] system” during that period.

On March 1, The Telegraph stated that Revolut launched an internal investigation in late 2018 after a whistleblower contacted its board about “serious issues with its sanctions screening system.”  It reported that Revolut’s head of legal drafted a letter to the FCA that detailed the change, but that “a  decision was made internally not to send the document.”

On March 1, the Financial Conduct Authority acknowledged that it had been in contact with Revolut “to understand and assess the issues” that the Telegraph reporting raised. It further stated that it “expects all firms to have appropriate systems and controls in place at all times to monitor and counter the risk their services are abused for financial crime.”  A Revolut spokesman stated that “the company investigated after a whistleblower went to Revolut’s board with concerns that the sanctions compliance system had been turned off.”

Second, on March 1, The Telegraph reported that Peter O’Higgins, Revolut’s Chief Financial Officer, had resigned from the company in January 2019.  It said that Revolut confirmed that O’Higgins, an experienced financial-services executive who had been at Revolut since 2016, “quit the company at the start of the year.”  A Revolut spokesman separately responded that O’Higgins had left the company, but asserted that “there is no relation whatsoever to the compliance issue suggested by The Telegraph.”

The founder and Chief Executive Officer, Nik Storonsky, responded with a blog post, entitled “Let me set the record straight,” on both the compliance-controls issue and O’Higgins’s resignation.  On the compliance issue, Storonsky characterized The Telegraph’s reporting as “some misleading information in the media relating to our compliance function.”  He explained that in July 2018

we rolled out a more advanced sanctions screening system in parallel with our existing controls. Like any other technology company, we’re always looking to improve our systems.

During the initial testing stage of these new systems, we decided that they were not calibrated to a standard that we would expect, so we therefore decided to temporarily revert to our existing controls, while we continued to enhance the new systems. In our view, the new systems were imprecise and were resulting in too many false positive cases, which in turn resulted in an increase in customer dissatisfaction.

He also stated that

[a]t no point during this time did we fail to meet our legal or regulatory requirements. We conducted a thorough review of all transactions that were processed during this time, which confirmed that there were no breaches. Unfortunately, this fact was not included in the original news story. This roll-out did not result in a breach of any sanctions or money laundering laws and requirements – so we did not send a formal notification to the regulator.

With regard to O’Higgins’s resignation, Storonsky explained that O’Higgins’s decision to resign was unfortunately “caught up” in the media coverage on the compliance issue:

Any suggestion that Peter’s resignation is in any way, shape or form connected to this roll-out is utterly false and damaging. Peter has since expressed to me that he has been hurt by this suggestion and sad that his departure has been tainted in this way.

In reality, Peter has decided to step down on the basis that he feels that the business will require someone with global retail banking experience as we prepare to apply to become a licensed bank in multiple jurisdictions.

Storonsky added that the Revolut team “will be sad to see Peter go,” but respect his decision to step down, and expressed his gratitude to O’Higgins “for his commitment, enthusiasm and accomplishments” over his three-year tenure.

Note: These reports are the latest in a spate of unwelcome publicity for Revolut in the past month.  On February 8, Revolut admitted that in its series of London Underground ads, precise data in the text about the spending habits of users of its app were “just made up.”  On February 28, Wired reported, based in part on interviews with former company staff, that Revolut’s dramatic growth “has come at a high human cost – with unpaid work, unachievable targets, and high-staff turnover.”

As of this writing, the FCA has not made any determination about whether Revolut’s changeover of its sanctions compliance system last year involved a compliance breakdown.  At a minimum, other companies should treat this situation as a reminder that whenever they need to revise or test any compliance system, such as anti-money laundering or sanctions, that require constant screening of specific financial transactions, they need to be certain that they do not lose transaction data or fail to review those data timely in order to prevent processing prohibited transactions.

In his post, Storonsky wrote that although they reverted to their existing controls for a time, they “conducted a thorough review of all transactions that were processed during this time” and found no breaches.  Storonsky, however, did not specify how promptly that review occurred.  Even if the facts bear out Storonsky’s statement that they found no breaches, the FCA will undoubtedly want to determine whether there were significant delays in that review that could have allowed prohibited transactions to clear through Revolut’s app.

Storonsky’s statements about O’Higgins’s resignation also warrant a closer look.  At several points in his post, he used conditional, perfect, and future tenses to refer to that action (emphasis supplied):

• “Yesterday, it was reported that my friend, Peter O’Higgins, would be stepping down as our Chief Financial Officer . . . .”
• “ . . . Peter has decided to step down on the basis . . . .”
• “ . . . myself and the wider team will be sad to see Peter go . . . .”

If, as The Telegraph reported, O’Higgins quit Revolut at the start of 2019, these statements by Storonsky are needlessly misleading.  Regardless of the reasons for a senior executive’s departure, if an executive has in fact left, the company needs to inform the public (and potentially regulators) promptly that he or she has departed, and not to imply that the departure is a future event.  For Revolut to fail to report a C-level executive’s departure for a month or more, then to issue statements by its CEO that suggest the executive has not yet done so, can only invite additional scrutiny from regulators.