#DataScam : Epic Lanka Software Engineer, Arrested

COLOMBO (News 1st); The Software Engineer responsible for deleting files from the eNMRA database on the Lanka Government Cloud was arrested on Tuesday (28), by the Criminal Investigations Department.

Sri Lanka Police said the Software Engineer of Epic Lanka Technologies was arrested after confirming that he had accessed the database and intentionally deleted the files.

The 34-year-old suspect will be produced in court on Wednesday (29).

On the 3rd of May 2018, the National Medicines Regulatory Authority (NMRA) and Epic Lanka Technologies Private Limited (‘EPIC LANKA’) signed an agreement for a period of five years to provide and implement a document & workflow management system as a service for NMRA.

Accordingly, the NMRA, termed as the employer was required to provide the Lanka Government Network (LNG 2.0) connectivity and On-site security, among other processes.

In addition, Epic Lanka Technologies was to provide 78 laptops, one LED monitor, and 10 wireless Laser Printers to the NMRA, with multiple sources that have confirmed that the agreement is SaaS, or ‘Software as a Service’.

The NMRA, Epic Lanka, and the ICTA – the consultant, had thereafter agreed on the Software Requirement Specification and concluded the process with a User Acceptance Test, where NMRA personnel had tested the system on-site in the presence of ICTA personnel.

The total contract price for the total period of 60 months was agreed at just over 29 Mill Rupees (Rs. 29,130,900/- i.e.- Rs. 485,515/- x 60). Until July 2021, for a period of 25 months, the service was delivered.

That is until the infamous #DataScam took place.

According to inside sources, the architecture of the system provided to the NMRA does not specify an ‘official data classification’.

Sources have confirmed that the system provided two storages, one main database and secondary attachments database or the file server.

The main database is where all sensitive data on medicines and medical products are placed, and it is designed to go into auto-backup at midnight daily. The secondary database (File Server) with a capacity of around two terabytes was designed for the uploading of attachments to the sensitive material in JPEG or PDF format, sources have confirmed.

The File Serve will also contain research material for medicines and medical products.

Sources told News 1st that the File Server is not a system agreed to have a backup, as it was designated to hold non-sensitive material and the matter was never flagged at the review meetings for the 25 months until July 2021.

During the first week of July 2021, the NMRA had called for an online support meeting and the requirement, accepted by Epic, was passed down to the team of engineers in charge of the system.

Sources have confirmed that two days later, the NMRA had sent a system message claiming the File Server was not visible and a system inquiry had revealed that the Folder designated as File Server was MISSING.

An internal inquiry into the incident had revealed that the ‘unnamed systems engineer’ had executed the NMRA support required and given a ‘DELETE Command’ to the system.

The Systems Engineer had executed the DELETE command during the weekend.

Sources confirmed that the engineer claimed it was “a mistake” and he had deleted the Original File and not the Test File.

On Wednesday (22), Opposition MP Harin Fernando, a former Minister of Digital Infrastructure said the eNMRA system is such that files cannot be deleted in one go but one which asks for repeated confirmation before deletion.

The MP told parliament that the engineer who executed the deletion of files had tendered in his resignation from Epic Lanka Technologies, a month before the #DataScam took place. (Sources also confirmed this to News 1st and insiders say the resignation was withdrawn pending CID investigation).

He further said there are serious concerns about the engineer’s next place of employment, indicating a company that ran a certain ‘Yes We Can’ campaign. The Minister added that among the records lost were documents submitted for urgent COVID care-related products tenders worth Rs. 10 billion.

Deputy Solicitor General Dileepa Peiris had also informed the Colombo Magistrate’s Court that the deletion of data from the National Medicine Regulatory Authority’s database could be the result of a conspiracy hatched by the medical mafia that cashes in by importing medicines and medical devices.