ASA Philippines President and chief executive officer Kamrul Tarafder Photo from ASA Philippines Foundation|FB
BUSINESS

President’s ouster row, ASA Phl gives side (5)

Jyosna’s internal investigation suggested that the breach might have been perpetrated by someone within ASA Foundation itself. Kamrul Tarafder, the founder of ASA Philippines, requested an internal investigation, which was denied

Chito Lozada

In the fifth of a series, ASA Philippines through counsel Cruz, Marcelo and Tenefrancia law office responds to the series of articles that came out from 5 to 11 November based on interviews of former ASA Philippines President and chief executive officer Kamrul Tarafder and documents he provided:

Kamrul: “A cyberattack on ASA’s digital system provider, Jyosna, resulted in a ransom demand of $200,000 from the cyber threat group Medusa. The demand required payment through a cryptocurrency wallet. Medusa threatened to hold hostage all user passwords and leak the data obtained.

The messages from Medusa referenced Jyosna’s ATMOS System, which provided the digital backbone of the Foundation. Jyosna and ASA jointly reported the hacking incident to the Philippine National Police Cybercrime Division, without engaging directly with the threat actors.

Jyosna’s internal investigation suggested that the breach might have been perpetrated by someone within ASA Foundation itself. Kamrul Tarafder, the founder of ASA Philippines, requested an internal investigation, which was denied.”

ASA Philippines: Contrary to the Articles’ portrayal, the Foundation took all the necessary steps to address the hacking incident in a timely manner. It reported the breach to the Philippine National Police Cybercrime Division in October 2023 and submitted a Data Breach Report to the National Privacy Commission immediately thereafter.

The Foundation also conducted a comprehensive internal investigation and hired independent cybersecurity firms, Trustwave and Sites Phil, for a thorough review. There is simply no basis for the malicious claim that the breach might have been perpetrated by someone within the Foundation.

The investigations had to be conducted without Jyosna’s full participation and cooperation despite the expectation from that of a contractual counterparty responsible for the processing of data controlled by ASA on behalf of its clients and employees.

Kamrul: “In November 2023, certain board members, including Ambassador Howard Dee and his son, Richard Dee, began suggesting the potential sale of ASA Foundation. Kamrul claimed that potential buyers had been approached, and he objected to the sale proposal.

On 3 November 2023, Kamrul formally wrote to the board, addressing ASA chairperson Jose Cuisia about his concerns regarding recent changes. He confronted the board about the alleged intention of the Dees to sell ASA Foundation and requested arbitration to resolve the escalating dispute.

However, Cuisia denied his request for arbitration and denied that discussions on the sale of the Foundation had taken place.

The board later attempted to turn the tables on him, accusing Kamrul of being the one interested in selling the Foundation and seeking potential buyers. Cuisia subsequently sent a message to the employees, calling the rumors about a potential sale ‘false and fake news,’ attempting to shift the narrative to suggest Kamrul was the one circulating such claims.”

ASA Philippines: The claim that certain Board members, including Ambassador Dee and Mr. Dee, suggested selling the Foundation in November 2023 is completely false. In reality, it was Mr. Kamrul who explored the idea of selling the Foundation. Nonetheless, other than Mr. Kamrul’s untruthful claims, the Board did not, at any point, seriously consider selling the Foundation or approaching potential buyers.

The Board firmly and definitively denied in writing any intention to sell the Foundation or its assets, stating such speculation is unfounded and contradicts its mission. As a non-stock, non-profit corporation, the Foundation cannot distribute income or sell itself, per the Revised Corporation Code. Any assets upon dissolution must go to another non-profit or the state.

Ambassador Cuisia, in his response to Mr. Kamrul, assured that the Board is capable of addressing any issues and emphasized the need for collaboration among all members to strengthen their mission. He did not suggest that Mr. Kamrul was spreading rumors about a sale; instead, he called the claims “fake news” and baseless.

Kamrul: “In March 2024, an unauthorized attempt to access Jyosna’s data was reported. ASA Foundation advised the system provider that Trustwave, a third-party cybersecurity firm, had provided them with Jyosna’s data file upon the Foundation’s request. This was the same data file the hackers had failed to obtain during the previous breach.

Kamrul’s son, Simon, vigorously objected to the release of this data, as it was done without his knowledge or consent.

Trustwave, which was hired to investigate the breach, had been instructed by Jyosna not to disclose any data to anyone, including ASA Foundation. The firm was only supposed to investigate and provide expert opinion, but it exceeded its authority by yielding to ASA Foundation’s request for the data.

Simon demanded that the files disclosed without authorization be deleted, but the request was ignored.”

ASA Philippines: This narrative absurdly claims that Jyosna owns the Foundation’s data stored by Jyosna and has authority over it. In reality, the Foundation is the sole controller and owner of all data in the ATMOS system, as stated in the contracts and supported by law.

Trustwave acted within its contracted authority with the Foundation by securing potentially at-risk data and informing the Foundation. These data files were provided to them by Jyosna to conduct the independent investigation. It is Jyosna and Mr. Simon’s suspicious refusal to fully participate in this investigation and to disclose the truth about the hacking incident that raises doubts about their findings, especially when compared to the contradictory results from an independent cybersecurity expert.