E-tender scam looms large over Madhya Pradesh government
Even before the dust kicked up by the Vyapam scam has settled, another big-ticket corruption case is staring at the Shivraj Singh Chouhan government months ahead of the assembly elections.
Billed as the ‘e-tender scam’, it involves large-scale manipulation of the online procurement platform of the Madhya Pradesh government to allegedly favour a select few private companies. Suspected to have been going on for years now, it was exposed only in May this year.
ET investigation reveals that the Madhya Pradesh Jal Nigam (MPJNL) was internally alerted on the encrypted e-document contents getting modified by backend players with connivance of private companies and the top bureaucracy after the price bids were opened for three of its contracts in March this year.
A major technology-cum- engineering construction company too is learnt to have complained about the issue following an internal assessment after they had missed out on some tenders by narrow margins. A senior MPJNL officer sought the help of the nodal department which hosts the portal—the State Electronics Development Corporation (MPSEDC)––to ascertain how the secured infrastructure was compromised.
MPSEDC managing director Manish Rastogi, a 1994 batch IAS officer, who has technical know-how due to his computer science and engineering background, conducted an internal inquiry and found out that the bid processes of three contracts for multi-village rural water supply schemes in Rajgarh and Satna districts were altered to make two Hyderabad-based and one Mumbaibased companies the lowest bidders, documents with ET have revealed.
It was done with insiders’ help as inquiries revealed that a select few bidders got unauthorised sneak preview of the bid price so that they could pitch lower bids to clinch the deals. The contract amount for the three projects was more than Rs 2,322 cr.
Similarly, six other contracts of the public works department, water resources department, MP Road Development Corporation and project implementation unit were also exposed to similar insider rigging of e-bids, Rastogi realised.
He also issued show cause notices (SCNs) to service providers Tata Consultancy Services and Antares System on June 6 for “non-compliance with the terms and conditions of the RFP” of the contract agreement with MPSEDC. While TCS was given the responsibility for maintenance of the helpdesk, hardware and training, Antares was assigned the task of application development and maintenance.
Both did not deny, in their responses to the SCN, that cyber fraud was committed but at the same time the two did not accept responsibilities for the breach, noted Rastogi in his correspondence with the two software companies. The two SCNs issued to TCS and Antares was accessed by ET.
The MPSEDC later wrote to the respective departments to cancel six more tenders. The internal inquiry by MPSEDC flagged concerns over the role of OSMO IT Solution, which was roped in after a “demo department” was raised in 2016 to ascertain why performance of the portal was poor.
OSMO was provided with five passwords for the same number of IDs of the demo department that were allegedly used to unauthorisedly access price bids to make favoured firms lowest bidders in contracts, which now stand cancelled.
OSMO director Varun Chaturvedi, however, denied any role of his company in the scam. Chaturvedi stated that they were given passwords for limited privileges to create and view tenders in mid-2016. “I’m not aware of how these passwords were used to rig tenders. We did performance testing at the MPSEDC office and shared our report with them. Further tests were not completed and we were removed from the assignment sometime in mid-2016. The EOW probe will make things clear,” Chaturvedi commented.
Meanwhile, Rastogi was unceremoniously divested of his additional charge of Principal Secretary Science and IT after his internal audit of the first three cases made it apparent that large scale manipulation took place on the e-procurement system. He was replaced by another IAS officer Pramod Agarwal.
Rastogi, however, refused to comment on his efforts to unravel the corrupt cyber plot as well as the BJP government’s uncharitable decision towards him.
“I did whatever I had to and now I have moved on. I would not like to talk about my previous assignment,” Rastogi said, refusing to succumb to constant prodding to share the details of the e-tender scam.
On the orders of MP chief secretary BP Singh all the nine tenders were handed over to the Economic Offence Wing (EOW) of the Madhya Pradesh police for a probe under IT Act, 2000, as e-portal tampering tantamounts to economic fraud.
An EOW official, who is part of the probe team, estimated that the scam is worth Rs 3,000 crore.
Ruling out any foul play in Rastogi’s transfer, BP Singh told ET that “he had gone on leave and was not picking up his phone. We needed some information urgently. So we gave the charge of Principal Secretary Science and IT to Pramod Agarwal who was the first to raise the issue”.
Though both the internal reports of TCS and Antares submitted to MPSEDC have clearly established that the encrypted data was compromised to benefit three private bidders, the EOW has only registered a Preliminary Enquiry (PE) and not an FIR to probe the e-tender scam.
EOW’s Additional Director General of Police Madhu Kumar said the case is at a “critical stage” of the probe. “Due to technical issues we have registered PE first, then it will go to the next stage of a regular case,” Kumar clarified to ET.
Police have, however, seized 9 tetrabite worth of data from MPSEDC of tendering done from 2013 till May this year, said EOW sources. EOW Deputy Superintendent of Police Rajesh Guru, who is the IO of the case, has taken documents from departments under the scanner and examined officials of the software companies lending support to the eprocurement portal.
A senior EOW officer told ET that they are going for a forensic audit of all the tainted nine tenders to fix accountability.
The police, suspect government sources, is soft-pedaling the probe owing to fears of outcome in an election year. The government is unwilling to probe contracts awarded through e-tenders since 2013 as a senior officer stated that it would unravel a bigger scam.
The senior officer quoted earlier insisted that it’s not mere hacking but a criminal conspiracy hatched to manipulate tenders for wrongful gains.
While the state government shifted Rastogi, senior officers of the department under the scanner continue to hold on to their posts, jeopardising the possibility of a fair probe.
The MP chief secretary though countered charges of any attempt made to influence the probe. “The EOW is inquiring the matter. There is no role of departments. After Agarwal identified the issue we sought a probe,” Singh remarked.
Meanwhile, MP Vidhan Sabha leader of opposition Ajay Singh wrote a letter to Prime Minister Narendra Modi on July 2, 2018, seeking a probe into the e-tender scam either by the Central Bureau of Investigation (CBI) or under Supreme Court supervision. The Congress leader said he did not receive any response from the PM.
Singh in his letter has cast a cloud on the role of OSMO, which possessed encryption key that was clandestinely used to open price bids. Only Tender Opening Authority (TOA) in different departments are designated to have them for logging into live bidding process.
The e-tender scam paints a scary picture of the vulnerability of Digital India, if private companies connive with the ruling dispensation to rip off the public exchequer.
Unravelling the Fraud
An analysis by Antares Systems, which provided software solution for MPSEDC’s e-tender portal, unravels the cyber heist.
The MP e-procurement application stipulates that a vendor’s bidding data should be encrypted using Department Tender Opening Authority’s digital certificate. Simultaneously, the vendor bidding data can be decrypted using TOA’s encryption certificate keys.
In March, price bids were opened for each of the tenders — MPJNM/TENDER NO-91, MPJNM/TENDER NO-93 and MPJNM/TENDER NO-94 — to execute Jal Nigam’s multi-village rural water supply schemes in two districts.
It showed a mismatch of One Way Hash (OWH) value of the vendor. The OWH is a mathematical algorithm to index data of arbitrary size. The original OWH generated at the time of bid submission did not match with the tampered OWH.
The “signature verification” page of the portal showed an error message for “signature and certificate validation status” – a cross tick mark next to “document content is modified” – which pointed out that it was fraudulently accessed.
Investigations revealed that a few tenders were processed in the “Demo Department”, created for training and practice for officials and bidders. Demo users were mapped with the same MP Jal Nigam’s TOA’s certificate.
The Demo department’s user id (PT_4) was used and repeatedly associated with different TOA’s encryption key to illegally open the bid values of others. This id was created and allotted to M/s OSMO IT Solutions, Bhopal, for carrying out the performance testing of the portal.
The encrypted bid data of each tender, except for fraudulent bidder data, was copied to the database table row in the Demo Department’s test bids.
The cost opening of these test tenders was done on March 3, 2018, using the TOA PK Guru’s encryption certificate which is same as TOA of MP Jal Nigam tender.
The encrypted data of demo tender was then copied back into original Jal Nigam tender database to favour fraudulent vendors.
That’s why there was mismatch in OWH. The signing certificate is mapped to Mr Kesho Rao Uike, District Trade and Industries Center, Seoni.
Multiple parties are involved in the cyber fraud. The prime suspects are TOAs, persons having good knowledge about how tenders are hosted and processed, and backend person who could have accessed IT infra and able to copy encrypted bid data. Lastly, bidders who wanted to win tenders by becoming L1.
Questions that cast doubt on the intention of the MP government to nail fixers
Why didn’t Shivraj Singh Chouhan government seek an explanation or at least transfer brass of departments whose e-tenders were rigged, to ensure impartial inquiry?
Why was MD of MPSEDC Manish Rastogi transferred after he blew the lid on the scam?
Why was no overarching investigation into e-tendering process since 2013 been allowed by the state government? The EOW is probing only nine cancelled tenders.
Why was no punitive action initiated against beneficiary companies despite an internal inquiry pointing out the names of bidders who emerged lowest bidder by compromising e-procurement infrastructure?
Why was the case not handed over to CBI with so many public servants and influential cos involved in the case?
Companies assisting e-tender portal and their lapses
MPSEDC’s stand:
TCS and Antares Systems were issued show cause notices for violation of the contract agreement with MPSEDC. The breach showed that the two companies violated four clauses “operational support for five years”, “security requirements”, “database control” and “additional security features” of the RFP. Why was the contract with the two outsourcing companies not terminated, the SCN demanded.
TCS spokesperson response:
“The eProcurement system was implemented in January 2014 and running successfully since then. TCS operations are periodically reviewed by auditors appointed by the client. On intimation of this isolated incident from our client, we conducted a detailed investigation and concluded that our employees are not involved in this incident. We are fully cooperating with the client and investigating authorities”
Antares vice-president Manohar MN’s response:
“We have replied to the SCN. The irregularities did not happen in the application but outside. Someone who had keys would have probably done it. We have shared our reports and given our version to EOW too”.