KARACHI: A detailed probe by a professional firm has confirmed that the security system of Karachi Stock Exchange (KSE) was breached through unauthorised access, a fact that was revealed by two whistleblowers of KSE, who have also been identified. The report finalised in December 2013 found that two undocumented Virtual Private Notebooks (VPNs) were operating for private trading.The breach was unearthed after two whistleblowers accused senior staff members including Managing Director Adnan Afridi of accessing sensitive trading data through a secret backdoor network, accessing e-mails of other staff members without authority. The KSE board asked Internal Audit Department to investigate the matter. The Internal Audit Department seized some of the computers of the IT staff and what they found on the computers was shocking. They found evidence of vendors paying for unreported foreign trips of IT staff including IT head Abdullah Jan Farooqi. But, in addition, they found back-door access to the stock exchange computer system from outside the KSE premises. Some KSE board members showed concern and termed the practice a breach of trust, which benefited the staff and outsiders to see, buy and sell orders of companies and individuals that were traded on the exchange. The board reacted by hiring a respected consulting company to investigate the matter. What they found was a litany of information that led to the unravelling of this fraud. The report found that former MD Adnan Afridi used to access trading data related to some specific UIN numbers and certain confidential trade related data was found on the system of an IT staff member, Farooq Daudpota. According to that report, Adnan Afridi and key IT staff members including its head Abdullah Jan had secret programmes running on the KSE main computers that gave them access to the trading of large investors including many foreign funds. Mr Afridi and Mr Jan and others could access the trading data live from the KSE and also from remote locations. The report expressed disappointment with the statements of IT General Manager Abdullah Jan Farooqi relating to the date when the first VPN was disabled.The report states that the investors whose account data is believed to be hacked through tracking of their UIN level data included: Citigroup Global Markets, Merrill Lynch International, Merrill Lynch Pierce Fenner & Smith, Mallen Securities, Auerbach Grayson, Deutsche Bank, Morgan Stanley, Dubai Investment Group, Bear Stearns, Prince Street, Old Lane, Safra, Solara, SG Securities, Arab Emirates Investment Bank, BNP Paribas, Allied Bank, Bestway Holdings and Al-Baraka Investment Company. Adnan Afridi reacted to these allegations by saying he was looking at the trading data of investors as there was no surveillance department of the KSE and he was the MD so he was doing the surveillance. But there are two facts that disprove this statement. First, the KSE did have a surveillance department so not only did Mr Afridi lie there was no need for him to do this job since an entire department existed to do it.Second, the report states that the MD looked at the UIN’s specific institutions and individuals, which means that there were only selected market participants whose trading the MD was interested in. A KSE trader said when the KSE was performing well, such reports could malign its name. Most importantly, questions were raised as to why the stock exchange’s management had been silent on this matter since the summer of 2013. KSE Managing Director Nadeem Naqvi told ‘The News’ that the inquiry was under way and hopefully by the end of this month they would get the final report. He claimed that the report did not accuse any person but action would be taken against those responsible after the final report was received.Replying to a question, he said that there was no breach of trust and no employee had accessed the network for taking any benefit. Actually the management had decided to establish an alternative network keeping in view the law and order situation of Karachi but the staff, without taking prior permission, started testing the system. This, he added, was out of the procedure but it was confirmed that the staff had not done anything secretly.Naqvi denied that he was protecting someone because some big shots of the stock market like Aqeel Karim Dhedhi were backing them. He said he was a professional and his loyalties were with the organisation, not with someone else. He confirmed that he remained the director of the AKD Securities, the company owned by Aqeel Kareem Dhedhi and due to some matters of the AKD Securities, the apex court had placed his name along with other directors on the Exit Control List (ECL). He said it was a misperception that the 2008 crisis was the result of the wrongdoings of the management.Apart from the claims and clarification of MD Naqvi, it is a fact that the KSE management had fired many employees of the IT section and the head of the IT section Abdullah Jan was sent on forced leave. Sources within the KSE are of the view that the present MD is reluctant to take action against those responsible for the big fraud because of their connections with some big shots of the KSE. That’s why neither he is forming any committee to probe the issue nor he is informing the regulator, the SECP. Former KSE managing director Adnan Afridi told ‘The News’ that he had access to the data after execution of trade and he did not have any access for live trading and this was not unauthorised. “As MD, I was authorised to watch the data for surveillance purposes. He added that he was not involved in any kind of irregularity and KSE was inquiring the IT department staff and not against him.” The head of KSE IT section Abdullah Jan first refused to comment on any matter but then he briefly gave his version. He confirmed that the KSE management had sent him on forced leave and an inquiry was under way against him.Mr Jan also confirmed that many employees of the IT section had been fired. He denied any unauthorised access to data.