[ISN] Police question report of India code theft

InfoSec News isn at c4i.org
Wed Sep 1 13:22:47 EDT 2004 

http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,95615,00.html

By John Ribeiro
AUGUST 31, 2004 
IDG NEWS SERVICE

Police officials investigating the alleged theft of source code at 
Jolly Technologies' Mumbai development center are questioning aspects 
of the security incursion reported by the company (see story) [1]. 

Jolly lacked a security policy at its Mumbai center, according to 
investigators examining the alleged theft of company code by a 
development center employee. 

"We have done a preliminary inquiry and took the help of technical 
experts, but prima facie nothing during this inquiry indicated that 
the employee had transferred any file or document from her office 
computer to any other location," said Anami Roy, Mumbai's commissioner 
of police. Roy added that Sandeep Jolly, president of Jolly, refused 
to give police a formal complaint and didn't cooperate with the 
investigation. 

"We got a letter from an employee of the company, but that was a 
sketchy kind of a report and cannot be treated as a complaint," Roy 
said. 

Without a formal complaint from Sandeep Jolly or evidence of a theft, 
the Mumbai police can't proceed with an investigation. "Our own 
inquiry does not disclose the commission of a cognizable crime," Roy 
said. 

The police aren't willing to register the case, according to Sandeep 
Jolly. "We have learned that the police will not file a FIR [first 
information report] until they are heavily bribed, as they know that 
there has been a huge loss to the company," Jolly said by e-mail. 

Jolly Technologies is a division of San Carlos, Calif.-based Jolly 
Inc., which sells labeling and card software. It issued a statement 
earlier this month, reporting that an employee at its 3-month-old 
research and development center in Mumbai stole portions of source 
code and confidential design documents related to one of its key 
products. 

On July 19, the employee in Mumbai uploaded and e-mailed files 
containing the source code and other confidential company data to her 
Yahoo e-mail account, according to Sandeep Jolly. 

One hurdle to any investigation of the case is that Jolly 
Technologies' Mumbai facility fell short on security, according to 
investigators. "It does not have a security policy, it has no log of 
the computer and network activity at the center, and passwords are 
known to all and sundry," said Vijay Mukhi, a technical consultant to 
the Mumbai police on this investigation. 

"We asked Jolly Technologies for the log, and they were unable to 
provide it to us," Mukhi added. "As the company has no log, I have no 
proof that there was a source code theft, and if so who did it." 

However, Jolly Technologies does have the log, according to Sandeep 
Jolly. He also said that while passwords were shared for getting into 
the PC to access a common data server, the password used by the 
employee to access her e-mail account wasn't available to others. 

Jolly Technologies filed a writ petition on Aug. 19 before the Bombay 
High Court asking the court to direct the Mumbai police to register 
the offense and start investigations. This occurred a month after the 
employee allegedly stole the code and left the company without notice. 

"As an association, we are quite satisfied with the investigation by 
the police," said Sunil Mehta, vice president of the National 
Association of Software and Service Companies in Delhi. 

In another twist to the story, approximately an hour after Sandeep 
Jolly went to the Mumbai police, the employee accused of the theft 
filed a complaint with the police alleging that she had been harassed 
at work and mentioned advances such as invitations to dinner and the 
movies, according to Roy. "There was no explicit reference to sexual 
harassment, but to what you would perhaps call 'soft advances' by 
Sandeep Jolly," he added. 

The police fabricated the information, according to Sandeep Jolly. The 
employee filed the complaint two days after he went to the police, he 
claimed, and he said it lacked a reference to sexual harassment. 
Instead, the complaint stated that Jolly had falsely accused her of 
stealing, causing her mental stress. 

"There is more than meets the eye, and we are investigating all 
angles," Roy said. 

[1] http://www.computerworld.com/softwaretopics/software/story/0,10801,95045,00.html

More information about the ISN mailing list