Department of Social and Family Affairs:Telephone fraudsters last year hacked into the internal phone network of the Department of Social and Family Affairs, racking up almost €300,000 worth of calls over two months.
The C&AG report revealed that, following the security breach, hackers - probably based overseas - charged €12,000 in international calls to the Department in one weekend.
In response to the Comptroller's queries, the accounting officer of the Department said it "reacted swiftly to the intrusion" and sealed off and made safe the danger area.
An advisory letter has since been sent out from the Department of Finance to warn information technology managers in all Departments of the threat of future breaches.
The C&AG said the problem was identified on August 6th, 2002, when the Department's account manger at Eircom reported an atypical telephone pattern of international calls from one of the Department's 20 Private Automatic Branch Exchange (PABX) systems. Such systems include a facility allowing people to dial in externally through the use of a private identity number.
Inquiries determined that over the previous weekend - the August bank holiday weekend - international calls from that exchange amounted to around €12,000.
The Department immediately instructed Eircom to bar international calls from that exchange.
As part of the investigation a physical extension was attached to the number which had been used at the PABX (which had had no handset attached). This allowed details of some incoming calls to be monitored. Calls to the number came in from Holland, Belgium and Italy. The feature was then disabled.
In the Department's case, the facility was originally installed to allow technical personnel carry out remote maintenance. At the time of the security breach, the Department was unaware the feature was still operating.
The C&AG asked the Department to explain the failure of its monitoring system to detect the illegal usage, which cost €294,136 in July-August 2002, mainly as a result of calls to Africa and the the Far East.
The Department's accounting officer said it had failed to notice the €85,297 worth of fraudulent calls in its July phone bill because "the overall total was not noticeably higher than the norm". The total bill was €303,556 compared to an average of €125,000.
The Department added it did not consider that compensation was due from Eircom as it was not in a position to allocate responsibility to the company for the breach. Following the incident, the Department installed a software package on all PABXs to monitor outbound call traffic.
It also contacted the Garda Bureau of Fraud Investigation, which indicated at the time that it was investigating a number of similar cases where the fraud totalled an average of €45,000 but was sometimes as high as €90,000 for one weekend.
The Comptroller was told that "typically, fraud of this nature is orchestrated from outside the jurisdiction and a successful prosecution is extremely difficult to achieve".
