by RV Raman
Harry, the motorcycle and its rider had been photographed before they left the restaurant and the vehicle’s registration number was already in the process of being traced.
Chapter 11
‘A million transactions, Gautam?’ Dilip Puraria asked over the phone. ‘Are you sure?’ He seemed utterly shocked.
‘I haven’t seen it yet, but that’s what the man claims. About a million transactions from September. Moin is checking out a sample of 10,000.’
‘A million!’ Dilip was still stunned. ‘That’s a major heist! How the hell did it happen?’
‘That’s the question, isn’t it? How did it happen and when. We’ll get to the bottom of it, but I wanted to sound you off right away. At present, only Moin and Nilay know about this –’
‘Want to rope in Darshan?’ Darshan, the head of the Puraria Group’s Bengaluru data centre, reported to Dilip. ‘He’s a seasoned IT pro.’
‘Not yet, but soon. Let me do some more work before I call him in. The breach has to be either at MyMagicHat or at one of our data centres. Darshan will have to be roped in. I want to be face-to-face with Darshan when I break the news.’
‘You suspect him, Gautam?’
‘No, not of wrongdoing. But there could be a leak somewhere in the organization he oversees. He’s responsible for the Bengaluru data centre.’
‘Anything you want me to do?’
‘I wanted to pick your brain on what areas we must probe. You’re more familiar with the technology infrastructure than I am.’
‘Let me see… A million transactions would be quite a large chunk…say, 300 MB or 400 MB, right?’
‘The 10,000 transaction file was small – 4 MB or 5 MB, I think.’
‘Text file?’
‘Moin said it was an ASCII file,’ Gautam told him.
‘Same thing. One possibility is that it is an extract from a database. I can’t think of any other place that would store a million transactions. If that is the case, the immediate possibility is that it was taken from a back-end server and the back-end, as you know, is housed in a data centre.’
‘The Bengaluru data centre?’
‘Can’t say for sure. It could be from the disaster recovery site too. I don’t know if any other data centres are involved. It’s been a couple of years since we took those decisions; I don’t recall details now. You said the transactions were customer orders, right?’
‘Yes,’ Gautam confirmed. ‘They contained all the order details.’
‘Including customer name and address?’
‘Uh-huh.’
‘Sure, Gautam?’ Dilip’s voice had taken on an edge.
‘Yes. I saw the first sample of 50 transactions. They had customer names and addresses. Why?’
‘That could be important, Gautam. As far as I remember, we store the customer details in a separate server and use an internal, system-generated customer code to link it with the order. There is only one database that carries customer details. Get Moin and Darshan to check it out. That may help you pinpoint where the data came from.’
‘That’s useful.’ Gautam made a quick note of it. ‘Any other thoughts?’
‘Can’t think of anything other than what I alluded to.’
‘Which is?’
‘The data is from the back-end, not the front-end system. If the stolen data pertained to the product catalogue or customer credentials, it could have come from the front-end. Orders are created only after the customer makes a purchase. And once an order is created, it is sent to the back-end for fulfilment. That’s where they’re stored. That should narrow your search – you don’t need to investigate the front-end too much.’
‘Great!’ A grin broke out on Gautam’s face. ‘Thanks, Bhaiya.’
‘Have you told Papa yet?’
‘Not yet. Thought I’ll tell him once I get some more information. The police are tracking the data seller –’
‘The police are involved? You didn’t tell me that.’
‘Didn’t I? Oh shit, I forgot! Sorry. I got them involved to track the thieves. A plainclothesman was the one who met the data seller today to buy the sample.’
‘Tell me what happened.’
Gautam narrated the events of the evening and concluded by saying: ‘They have narrowed his location down to South Bengaluru and would have traced the bike by now. They also have video shots of the man selling the data and taking the money.’
‘He may not be the guy who actually stole the data.’
‘You’re right. He’s probably just an agent. The plan is to watch him and get him to lead us to the actual thief. From the way he behaved, the police think he’s an amateur.’
‘Good. Any update on the boy who went missing?’
‘Puneet? No. I had hoped that he would surface before the weekend was out. It’s been 72 hours since his disappearance. I’m getting worried… I fear it may be more serious than I had supposed.’
‘Have they checked the hospitals and mortuaries?’
‘Uh-huh. I’m not sure how Kantoff Capital is going to take it. I hope it doesn’t derail the deal. By the way, we’ll have to tell them about the bugging and the data theft soon. It is material information.’
‘Go slow, Gautam! Let’s think this through before we do anything. But I’ll ask Raj to have a chat with Vikram on the Puneet affair tomorrow.’
‘Yeah, do that. Raj knows him better than I do. He may tell him something he wouldn’t tell me.’
‘Of course. Keep me posted, Chotu. Also thank Moin on my behalf, will you? He’s done a great job.’
■
A few kilometres away, a similar conversation was taking place.
‘As far as I know,’ Vibha observed, as she lay in the dark beside her husband, ‘there is no database in MyMagicHat’s back-end system that holds the data you describe. Of course, I can’t be sure until I see the detailed schema, but my recollection is that the order database does not contain customer details. It only has an internally generated customer code.’
‘Then how do you explain the stolen data? You saw the 50 transactions yourself last night. It had customer names and addresses. Today’s bunch of 10,000 transactions is similar.’
‘I don’t know, Nilay. I’m just thinking out loud. I can ask Darshan for the schema tomorrow –’
‘No. Don’t talk to anyone about this! You’re not supposed to know any of this.’
‘Okay, okay, don’t shout! Now, coming back to what I was saying, when an order is created, it is created with only the internal customer code. It never has customer names and addresses.’
‘Then how does it get shipped to the right customer? How are address labels printed?’
‘While printing, the customer details are taken from another database. What I’m saying is that the order database does not carry customer details.’
‘Okay. Where else are orders stored?’
‘Nowhere else! There is only one instance of an order.’
‘Come on, Vibha! Those million transactions must have come from somewhere.’
‘That’s what I can’t understand.’
‘Okay, where are customer details stored?’
‘Only in the secure customer database. I would be very surprised if someone broke into it. There is no way an outsider could penetrate it unless –’
Vibha caught her breath in mid-sentence and stiffened. She was silent for a long moment.
‘Shit!’ she finally said.
‘What?’ Nilay asked, raising himself up on his elbow.
‘Why didn’t I think of that?’
‘Of what?’
‘No outsider can penetrate the customer database, Nilay. No outsider!’
‘Are you…suggesting that someone inside MyMagicHat is sabotaging the company?’
‘That’s the only possibility, Nilay. Believe me, the access control for the customer database is very robust. I’m not ruling out the possibility of a hack, but that would take a real expert. To my mind, it’s unlikely. That
leaves only one possibility – someone who has legitimate access to the customer details is responsible.’
‘Who could that be?’
By now, Nilay was sitting up. Vibha too sat up and moved closer to him.
‘Several people, Nilay – including you.’
‘Me!’
‘Tell me, can you look at an order when you want to?’
‘Yes…I can enter the order number and get the details.’
‘Including customer name and address?’
‘Yes… What are you trying to imply?’
‘Shh. Humour me for a moment. Now where could you get the order number?’
‘From any number of places. Why?’
‘Can you get the list of all orders placed last week?’
‘Yes. Wh –’
‘How about all orders placed in September?’
‘Yes!’ Nilay almost shouted. ‘All I have to do is to enter the date range and get the order numbers. But what’s the point?’
‘Once you do that, you could take each order number and get the order details, right? Including the customer name and address?’
‘My God! Are you suggesting –’
‘You are not the only person in MyMagicHat who can do this, right?’
Nilay nodded and then realized that Vibha couldn’t see his gesture in the dark.
‘No, Vibha, I’m not the only one,’ he told her. ‘But a million orders? It would take ages! And it would be noticed.’
‘You wouldn’t do it manually, silly! Not one by one.’
‘I’d write a database query, I suppose, to extract the details in bulk.’
‘You would first write a query to generate a list of a million order numbers. Then you’d write a second query to take each order number and extract the order details in the format you want. If you are even a half-decent programmer, you’d write a single SQL query to do both. You would combine information from the order database and customer database and construct the complete order. You would then dump your output into a text file very similar to what we saw.’
‘That would be child’s play for someone who knows what data sits where. But you said that the customer database is super secure!’
‘Yes – for direct users. If you tried to access the customer database using the Nilay Adiga user ID, you would be blocked. But when you write a query, it is the query that accesses the database, not Nilay Adiga. It has legitimate access. Of course, not everyone is allowed to query the system.’
‘You’re right. Most users can only run predefined reports. Only some of us can use the flexible query facility to construct our own queries.’
‘Some of you? Who all?’
‘The management team… Maybe, a few others. My God!’
Nilay leapt up and switched on the light, making Vibha dive under a pillow to avoid the sudden glare.
‘I’ve told you a hundred times!’ she yelled. ‘Warn me before you switch on the light! It hurts my eyes!’
‘Sorry! Sorry! Just thought of something.’
Nilay picked up his phone and called Moin.
‘Moin,’ he said, when the call was answered, ‘who all have access to flexible query facility?’
‘For all databases or any specific databases?’
‘Why is that relevant?’
‘Because many people in Accounts have access to the query facility, but they can use it only on the finance data.’
‘I see. Who all have full access? Including customer data?’
‘The management team, the customer management team and your managers. Why?’
‘Just play along, Moin. You’ll see why. One more question. The access I have allows me to see the entire customer order, including customer details. Can I write a query to dump all customer orders for September?’
‘Yes, you can.’ Moin’s voice had become anxious. ‘Are you suggesting something, Nilay?’
‘I don’t know…just thinking out loud. If you were to do that surreptitiously, how would you go about it?’
‘Don’t know…perhaps do it in smaller bits? A lakh at a time and spread it over a few days? That way, it’s less likely to be noticed.’
‘Can we find out if someone did something like that last week?’ Nilay asked.
‘Hmm…I’m not sure. I don’t think we keep logs of the queries put through the query facility.’
‘Shit!’ Nilay cursed. Was it a dead end? ‘Isn’t there any way we can check?’
‘Nothing comes to mind now, but I’ll think about it.’
Another thought flashed through Nilay’s mind.
‘Okay, do you have a list of user IDs that can access the customer database through the query facility?’
‘I can generate a list if you want, but it is what I told you – management team, the customer management team, your managers and some admin IDs.’
‘Admin IDs?’ Nilay’s ears perked up. ‘What are they?’
‘What we IT guys use and the one ID that we allow auditors to use.’
‘Auditors? Why?’
‘They insist. They want access to everything. But we disable the ID once the audit is over.’
In order to certify accounts, auditors needed the kind of access that would enable them to check any transaction randomly and without prior notice. The last quarterly audit had taken place in early September.
‘Then the auditors’ user ID would have been disabled for the past month or so?’
‘Not really –’
‘What’s that supposed to mean?’
‘Well, we use that ID to give access to due-diligence teams too.’
Nilay felt his blood run cold. A DD was currently in progress!
‘Moin,’ he said, his voice sounding strangled, ‘was the user ID active last week during Kantoff Capital’s DD?’
‘Yes, it was.’
‘Who was using it?’
‘Puneet.’
Chapter 12
When Harry left home the next morning, he had a tail. Three tails, to be precise, who frequently swapped places as they kept him in sight. The first thing they noticed was the Bajaj Pulsar motorcycle he was riding. By the time morning gave way to afternoon, the bike had a small coin-like magnetic device stuck under the front mudguard. All the device did was broadcast its location. Thereafter, Alex didn’t need to put three tails on him.
Alex also knew the man’s real name. With the name and address, he would shortlist five mobile numbers that could potentially be Harry’s by that evening alone. Alex would also learn that Harry didn’t hold a regular job. As a freelancer, he accepted whatever contracts came his way and his work often took him to a small shop in Jayanagar that serviced computer hardware and sold computer-related consumables.
‘You were right,’ Dhruvi said as Alex faced her across her desk at office. ‘He’s an amateur. He seems new to this crime game.’
‘Never known a pro’s hand to shake when he takes money,’ Alex quipped in his usual mournful tone. ‘But I’m not complaining. I can use a rare slice of luck. Life is too hard otherwise.’
‘Too hard, my foot! This has been almost too easy.’ Dhruvi was conscious of a vague sense of disappointment that she tried to fathom.
‘Too easy!’ Alex’s face assumed an affronted expression. ‘You saw how hard I had to work, didn’t you?’
Ignoring his protest as well as his pained expression, Dhruvi continued as if he hadn’t spoken.
‘But the bugging of MyMagicHat was undoubtedly a professional job,’ she said. ‘I had assumed the two were connected; that the same people were behind both crimes. I was wrong. Professionals wouldn’t hire a rookie like Harry. I won’t be surprised if he leads us to the data thief in the next 24 hours.’
‘I hope so. We can close the complaint, then.’
Dhruvi shot him an exasperated look. ‘I want to get to the bottom of the bugging and Puneet’s disappearance. Any update on him?’
Alex shook his head. ‘Nothing. Zero. The boy seems to have vanished into thin
air.’
‘You have placed alerts on his credit cards, bank accounts and mobile number, haven’t you?’
Alex gave her an injured look that she took as a confirmation.
‘Is anyone watching his house in Mumbai?’ she continued.
Alex blinked. ‘No. Should someone? I assumed that you would get to know as soon as he returned home. They’d call you.’
‘You’re right.’ Dhruvi nodded thoughtfully, twisting a curl of her hair around a finger. ‘I wonder if we need to keep tabs on his girlfriend. I would like to know if he has called her. Unfortunately, we can’t get clearance to do that. We are investigating the data theft, not his disappearance.’
‘If I may say so, ma’am,’ Alex began gently. He had a concerned expression on his face. ‘You’re getting too close to the case.’
‘His mother is a very nice lady, Alex. So is my aunt. They are terribly worried.’
‘Yes, ma’am.’ Alex’s face had softened a little more. ‘But in letting personal considerations affect you, aren’t you missing the obvious?’
‘Which is?’
Her gaze held a challenge. But it was also tinged with worry.
‘A person has been missing for three-and-a-half days. What would you suspect if this were just another case where you didn’t know the missing person?’
Dhruvi faltered and dropped her gaze.
‘You’re right, Alex,’ she conceded. ‘I dare not even contemplate the possibility. How would I break the news to my aunt if Puneet were dead?’
She took a deep breath and mentally shook herself. She could do nothing more about the Puneet affair. But she could hope that her investigation of the data theft might uncover something that would throw light on his case. That was what she had to focus on.
She looked up and smiled at the man whose face now revealed a hint of avuncular concern.
‘Thank you, Alex. I needed that. Now let’s get back to the data theft. We should arrange for another meeting with Harry, shouldn’t we?’
Alex nodded.
‘Arrange it in a way that will force him to make contact with his partner, the thief,’ Dhruvi continued. ‘What do you say?’
