Advertisement
Canada markets closed
  • S&P/TSX

    22,167.03
    +59.95 (+0.27%)
     
  • S&P 500

    5,254.35
    +5.86 (+0.11%)
     
  • DOW

    39,807.37
    +47.29 (+0.12%)
     
  • CAD/USD

    0.7379
    -0.0007 (-0.10%)
     
  • CRUDE OIL

    83.11
    -0.06 (-0.07%)
     
  • Bitcoin CAD

    94,576.65
    -804.94 (-0.84%)
     
  • CMC Crypto 200

    885.54
    0.00 (0.00%)
     
  • GOLD FUTURES

    2,254.80
    +16.40 (+0.73%)
     
  • RUSSELL 2000

    2,124.55
    +10.20 (+0.48%)
     
  • 10-Yr Bond

    4.2060
    +0.0100 (+0.24%)
     
  • NASDAQ

    16,379.46
    -20.06 (-0.12%)
     
  • VOLATILITY

    13.01
    0.00 (0.00%)
     
  • FTSE

    7,952.62
    +20.64 (+0.26%)
     
  • NIKKEI 225

    40,369.44
    +201.37 (+0.50%)
     
  • CAD/EUR

    0.6851
    +0.0008 (+0.12%)
     

NorQuest College faces tough questions from MLAs on alleged fraud and security breach

NorQuest College faces tough questions from MLAs on alleged fraud and security breach

During what was sometimes a testy exchange with MLAs, the President and CEO of NorQuest College fended off a wide range of questions about an alleged fraud and massive security breach at the college from 2008-2012.

Appearing for the first time since the public learned about the incidents in September 2016, NorQuest President and CEO Jodi Abbott revealed to an all-party legislative committee that the college recovered $1.622- million in an out-of-court settlement with its former Information Technology ( IT) manager.

As previously reported by CBC, NorQuest learned about the alleged fraud and privacy breach in early 2013, after Clarence Orleski, a former employee who was previously terminated, reportedly sent a series of inappropriate and sexually graphic emails to two NorQuest staff members.

Abbott told the Public Accounts Committee on Tuesday the college obtained a rare Anton Piller court order, which led to the unannounced search of Orleski's home in March 2013. That's where property and information belonging to NorQuest College was seized.

ADVERTISEMENT

Through detailed investigation of the data obtained from Orleski's computer and mobile devices, Abbott said NorQuest recovered an "intricate set of allegedly fraudulent transactions dating back to 2008, totalling $1.2-million, which led to further investigations and legal actions."

For more than an hour, members of the Public Accounts Committee grilled Abbott on why it took so long to inform staff of the alleged security breach, if stolen data had been shared, and if the court settlement reflected the actual losses incurred by the college.

'You knew something was wrong'

Wildrose MLA for Battle River-Wainwright, Wes Taylor, suggested the college had enough information to obtain an Anton Piller order, but didn't bother to tell staff their privacy may have been compromised.

"Why didn't you, at that point in time, tell the staff, your faculty what was happening?" asked Taylor. "This is a massive privacy breach, and you knew something was wrong."

Abbott said the two staff members targeted by the breach were fully informed, however legal counsel advised the college there was a "low risk" other staff or faculty members would be harmed.

In her opening remarks to the committee, Abbott said the college was also advised that "broad disclosure of the privacy breach would hinder both the criminal and civil investigations."

Richard Gotfried, PC MLA for Calgary-Fish Creek, asked why a settlement was reached for $1.6-million when he believes the college was on the hook for much more.

"The total cost to the public purse is somewhere in excess of $3.3-million," said Gotfried.

Abbott responded by saying goods and services were received in the transactions and, through the litigation process, the figure was determined to be an accurate assessment of the losses.

In a statement of claim filed by the college in court, Orleski is accused of "dishonestly and wrongfully designing, orchestrating, and implementing a scheme of fraud and deceit" involving two separate companies, "for his own personal gain and benefit" over a combined period of about five years.

"I find it a little hard to believe that these companies really provided anything of necessary value to the college," Gotfried added, saying there were costs such as severance payments not factored into the settlement amount.

Abbott was also pressed on why she is confident that personal information taken from Norquest, wasn't shared.

"I find it preposterous even ludicrous to even suggest that you've collected all that data," said Taylor, noting the former employee was an IT manager, well-versed in how to obtain and share information.

'We have not seen any repercussions'

Abbott said all data was recovered.through the sweep of Orleski's home computer and devices. In addition, she said if Orleski is found to have copied or used the information, he faces serious sanctions such as a possible prison term.

"It's been almost three-and-a-half years since this happened and we have not seen any repercussions," she said.

But NorQuest lawyer Joan Hertz acknowledged, "I don't think there's any way to guarantee, however the court order does bind Mr. Orleski."

NorQuest College was also chastised by Taylor for not first disclosing the security breach in 2013, the last time it appeared before the Public Accounts Committee (PAC).

"If this was disclosed at PAC in 2013, there would not be this meeting that we're having today."

"We didn't know what we had," Abbott responded, adding that, at the time, they were focussed on protecting the two staff who were targeted, and it wasn't until later they realized the extent of the breach.

Abbott was also taken to task for not reporting the breach to the Alberta Information and Privacy Commissioner sooner.

"This is just incredibly negligent on your part in my opinion," remarked Bonnyville-Cold Lake Wildrose MLA Scott Cyr.

"That you didn't go to the privacy commissioner because you considered you had all the information. It's just ludicrous."

NorQuest was not required to publicly report the breach, but Abbott said NorQuest followed the guidelines recommended by the privacy commissioner, and had secured the data that was breached.

"Hindsight is always 20/20, but we do believe this is an example of something being very well managed."

College insists better systems in place

"I am actually just completely amazed that the systems weren't in place to prevent this before 2012," said Edmonton-Whitemud NDP MLA Bob Turner.

"Putting in systems like segregation of duties, that's a Grade 3 system for management," said Turner, "Why wasn't that in place?"

Abbott said the college was in the process of improving its system when they discovered the alleged fraud.

The college has since intensified its monitoring of what staff does online, Abott said.

"We do monitoring of who's accessing what," she said.

"We have monthly monitoring that happens and we can look at logs of who's been looking at what kinds of documents, to ensure that they're only looking at what they should be looking at."

NorQuest College had been previously warned by Alberta's Auditor General that its internal systems "exposed the college to fraud and error going undetected."

Auditor General Merwan Saher told the committee that since the privacy breach, the college has improved its systems.

"In fiscal 2013 and since, we have been able to conclude the college has adequate internal controls and processes to reasonably mitigate the risk of fraud and error," said Saher.