DATA SCAM: Software Engineer responsible for deleting files granted bail

COLOMBO (News 1st); The Software Engineer responsible for deleting files from the eNMRA database on the Lanka Government Cloud was granted bail by the Colombo Chief Magistrate's Court on Wednesday (17).

The Software Engineer identified as Pramodh Dilupa Ramanayake is charged with deliberately deleting over 11,000 files from the database of the National Medicines Regulatory Authority.

#DataScam :

On the 3rd of May 2018, the National Medicines Regulatory Authority (NMRA) and Epic Lanka Technologies Private Limited (‘EPIC LANKA’) signed an agreement for a period of five years to provide and implement a document & workflow management system as a service for NMRA.

Accordingly, the NMRA, termed as the employer was required to provide the Lanka Government Network (LNG 2.0) connectivity and On-site security, among other processes.

In addition, Epic Lanka Technologies was to provide 78 laptops, one LED monitor, and 10 wireless Laser Printers to the NMRA, with multiple sources that have confirmed that the agreement is SaaS, or ‘Software as a Service’.

The NMRA, Epic Lanka, and the ICTA – the consultant had thereafter agreed on the Software Requirement Specification and concluded the process with a User Acceptance Test, where NMRA personnel had tested the system on-site in the presence of ICTA personnel.

The total contract price for the total period of 60 months was agreed at just over 29 Mill Rupees (Rs. 29,130,900/- i.e.- Rs. 485,515/- x 60). Until July 2021, for a period of 25 months, the service was delivered.

That is until the infamous #DataScam took place.

According to inside sources, the architecture of the system provided to the NMRA does not specify an ‘official data classification’.

Sources have confirmed that the system provided two storages, one main database and secondary attachments database or the file server.

The main database is where all sensitive data on medicines and medical products are placed, and it is designed to go into auto-backup at midnight daily. The secondary database (File Server) with a capacity of around two terabytes was designed for the uploading of attachments to the sensitive material in JPEG or PDF format, sources have confirmed.

The File Serve will also contain research material for medicines and medical products.

Sources told News 1st that the File Server is not a system agreed to have a backup, as it was designated to hold non-sensitive material and the matter was never flagged at the review meetings for the 25 months until July 2021.

During the first week of July 2021, the NMRA had called for an online support meeting and the requirement, accepted by Epic, was passed down to the team of engineers in charge of the system.

Sources have confirmed that two days later, the NMRA had sent a system message claiming the File Server was not visible and a system inquiry had revealed that the Folder designated as File Server was MISSING.

An internal inquiry into the incident had revealed that the ‘unnamed systems engineer’ had executed the NMRA support required and given a ‘DELETE Command’ to the system.

The Systems Engineer had executed the DELETE command during the weekend.

Sources confirmed that the engineer claimed it was “a mistake” and he had deleted the Original File and not the Test File.

Forensic Investigations have revealed that the deletion of over 11,000 files NMRA files relating to medicines and medicinal drugs was not a mistake and was a deliberate act, the Attorney General’s Department told the Colombo Additional Magistrate’s Court on the 29th of September.