An unidentified gang of 'cyber attackers' accessed National Board of Revenue’s server for three years stealing official user identity and passwords and thus released imported goods worth billions of Taka, reveals an investigation.
This is a major incident of cheating involving a government entity following the world's largest cyber heist of US$81 million of Bangladesh Bank money in 2016 that is yet to be unravelled entirely.
The 'miscreants' logged in to the NBR server for 3,777 times since 2016 using IDs of two customs officials to manipulate clearance process of imported goods, the Customs Intelligence and Investigation Directorate (CIID) found years later.
The investigation has so far confirmed that the series of fraudulent acts took place with the help of a section of government officials, including some from the port authorities, and private players who use the port.
However, only two persons were arrested in connection with the scam till date.
And, despite evidence of involvement of 20 importers and 10 clearing and forwarding (C&F) agents in the fraudulent practices, no effective initiative was taken to arrest them, official records show.
Eleven suspected officials have just been barred from travelling abroad.
Also, the amount of losses incurrred by the state due to this illegal acts are yet to be ascertained. CIID director general Shahidul Islam said it would be possible after completion of investigation.
At least 30 containers of imported goods were released from the Chittagong sea port, according to the CIID investigation.
It found that the manipulators logged in by using two IDs of retired customs officials, DAM Muhibul Islam and Fazlul Haque. None of them were posted at the port when the infiltrations took place and they said they also submitted their passports and relevant documents when they themselves were released from there.
In some of the declared import consigments, 30 containers were said to be packaged with iron and steel products. Customs officials now suspect that the containers might have had foreign cigarettes, expensive alcohol and apparel raw materials and stopped their release only to see them released somehow.
Four committees have been formed so far to probe the scam. A case has also been filed with the Ramna police station.
The imported goods were released through two types of fraud, said CID (Criminal Investigation Department) additional superintendent of police Rafiqul Islam, also the investigation officer of the case.
The importers managed to release 22 challans by using the stolen ID and password of the two said customs officials and 10 others by showing letter with forged signature of another custom official, the CID officer added.
How it all happened
NBR uses software called ASYCUDA World System for all its customs related works after imports of any goods. All the ports of the country use this software. It is controlled from the NBR office in Kakrail, Dhaka. The NBR can stop release of imported goods by using this software, officials say.
A number of customs officials claimed, they had locked out, using the automated system, some 22 containers of goods allegedly imported on false declaration.
They added, they only came to know at a later stage that those containers were released with just nominal payment of customs duty.
DAM Muhibul Islam was posted at Chittagong port from 2013 to 2015. He went on retirement in 2015. Fazlul Haque was posted at Chattogram for six years between 2009 to 2015.
According to service rules, an official is given an ID and password made on his/her name after his appointment.
Nothing detected on the server
The case statement said, the ID of Muhibul Islam was logged in for 116 times on ASYCUDA system after his transfer from Chittagong port. And, that of Fazlul Huq has logged in 3,661 times.
Muhibul’s ID was closed on 1 October 2016 but it was re-opened and remained active till 29 September, 2018. Fazlul Haque ID was active till 19 January this year.
Apart from Chattogram, the two ID were accessed in 6-7 places in Dhaka. those IDs might have been used in Kamalapur ICD and other ports to release goods.
Asked how the IDs were active even after the officials were no longer in service, the system manager of ASYCUDA World System Shafiqur Rahman refused to comment on the pleae of ongoing investigation.
He, however, admitted that the two-three layer security system was not active for the users of the software.
10 containers released using forged letter
Besides illegal access into the software system, goods of 10 containers were released using letters with forged signature of certain customs official named Sultan Ahmed.
Customs officials said, they sent a letter to private port operator company Saif Power Tech informing it of false declarations of 10 importer companies.
The customs office later came to know that the companies released their goods with nominal payment. The customs office also found that the containers were released on basis of a letter issued from Chittagong Customs House.
The letter came the way the government letter comes, said Chittagong port authority secretary Omar Faruque.
Saif Power Tech's chief operating officer Tanvir Hossain said the same. However both of them could not give clear answer as to why they released the containers without informing the customs authorities.
The 'fake' letter was issued from the AIR branch of Chittagong Customs, said the investigating CID official.
The computer used for typing the letter has been seized and the person who posted the letter has been arrested, he added.
What investigation reveals
Officials involved with the investigation said a group of miscreants have been smuggling in goods without facing any consequences for a long time. But a C&F agent and a labourer were arrested in connection with the latest act of fraudulence.
The arrested persons reportedly said three C&F agents namely Laila Trading Company, Saranika Shipping Kaizen Ltd and Majumder Trade International, -- are the main perpetrators of the fraudulence.
Several customs officials and the driver of an official are also involved in this scam, according to their statements. The group was said to have taken Tk one million for each container.
Cyber security specialist and network engineer Sumon Ahmed said to Prothom Alo, “This is deeply worrying. This is an evidence of how weak our cyber security system is. It is necessary to ascertain the amount of losses incurred due to this scam.”
“This is not a matter of avoiding liability only, the state’s security is also at stake. It is a must to find out the persons involved,” he added.
*This report, originally published in Prothom Alo print edition, has been rewritten in English by Farjana Liakat