How thieves accessed KPA systems to steal hundreds of containers

The usernames and passwords of two retired employees of the Kenya Ports Authority (KPA) were mysteriously activated and used to clear hundreds of containers at the Mombasa port, a court was told yesterday.

The hijacking of the two accounts led to losses amounting to Sh106 million in unpaid customs duty in one case where 124 containers were released before import duty was paid.

In another case, 150 containers were released without duty being paid on them using an account and password that were non-existent in official records.

Thirty-one employees of the Kenya Revenue Authority (KRA) and KPA are being charged with the theft of the 124 containers between May 1 and August 3, 2016.

A KPA official claimed a former employee was behind the unprocedural release of the 124 containers from the port.

Five companies

A second witness, who retired from KPA on January 1, 2016, testified that her Simba System account password and username were hijacked to open five companies that illegally cleared a separate batch of 150 containers from the same facility.

Yesterday, KPA customer service officer Benjamin Mwauda said Florence Langat resigned from KPA, where she worked as a supervisor in the manifest import department, but was still able to access the information and security system to release the containers from the terminal holds without permission.

“It still surprises me to date. I cannot tell how Langat was able to uplift a container from the terminal hold yet she had resigned,” said Mr Mwauda.

The prosecution, led by Senior Assistant Director of Public Prosecutions Alexander Muteti, said the accounts of two former port employees who are testifying for the State were mysteriously activated to commit fraud after they left employment.

Rose Taabu Musau, who retired after 37 years at KPA, told the court that several months after she retired, her username and password were still active, despite being cleared by all departments including ICT.

She said the ICT department acknowledged her retirement and issued her with a certificate acknowledging the same but somehow, her username and password were never deactivated.

Former colleague

“I was called by a former colleague, Niga, from the manifest import department while I was at home in Kangundo and he told me that my password was live and was being used to release containers,” said Ms Musau.

“He told me to immediately go to the KRA investigations office where I was shown five files of companies called Spear, Sanika, Phahim, Tizura and Pupa that had cleared 150 containers in my name,” she said.

Defence lawyers however claimed Musau lied to protect herself and accused her of being complicit in the fraud.

“I put it to you that you are the sole owner of the password and you failed to ensure the password was deactivated by the IT department,” said lawyer Gichana Omwando, who also accused her of negligence.

Musau denied being negligent and blamed the ICT department of laxity in ensuring the safety of its systems.

“I did my duty by clearing with all departments including ICT. It was not my duty to go back and check if my account was active. That is a role bestowed solely on ICT super-users who I cannot identify,” she said.

Musau also testified that Langat, who resigned from the port after January 2016, was her supervisor.

Raising red flag

Earlier, Mwauda testified that 124 containers were released from terminal holds by Joshua Misoi and Langat. He could not explain how Langat could access the system from outside the company without raising the red flag in the system.

The accused were released on a bond of Sh100,000 each by Senior Principal Magistrate Francis Kyambia.