See latest resources »
Blackmail case exposes failings

Blackmail case exposes failings


Barclays' handling of a £25 million blackmail case against former staff member and encryption expert Graham Browne is picked apart by 'Slicker', City columnist for UK satirical magazine Private Eye.

Barclays' shareholders have paid a high price for the bank's failure to agree to voluntary redundancy for £50,000-a-year encryption expert Graham Browne, recently acquitted by an Old Bailey jury of trying to blackmail the bank for £25 million.
Barclays ran up substantial legal fees in a failed bid to have Browne tried at least in part in secret to prevent alleged weaknesses in its credit card security becoming public. The UK high street bank also failed in efforts to influence the prosecution of Browne to minimise embarrassment over his claims.
Evidence at the trial confirmed much of what Browne claimed - one reason perhaps the jury found him not guilty and accepted his defence that he had acted "stupidly" in seeking to bring security problems to the bank's attention by his "ludicrous" demands.
The evidence about how customers' financial details are guarded was hardly reassuring for the millions of Barclaycard customers or those with MasterCard, and Visa cards from Barclays. Prosecutor Sallie Bennett-Jenkins said of what Browne knew: "If any of this information were to be made public, the security of the bank's entire debit and credit organisation would be in jeopardy."
Witnesses confirmed that the small, four-strong encryption team that Browne led was under-resourced, under-staffed and over-worked over a long period. At one time, Browne had been the only encryption expert. During the 90s he had repeatedly written to his superiors pointing out "security problems". These, he claimed, were constantly ignored.
After he was refused voluntary redundancy Browne, 57, resigned, believing that his resignation would not be accepted. When it was and he lost a job he clearly loved, he became bitter and frustrated. One of his colleagues blamed Barclays for taking an "aggressive" approach to Browne, who had worked for the bank since 1985.
An anonymous letter to Private Eye, received after the magazine had revealed Barclays' involvement and secrecy surrounding the prosecution, and said to be from Browne's supportive colleagues at Barclays' Radbroke Hall computer centre in Cheshire, accused the bank of bullying tactics.
One of the four claimed blackmail letters written by Browne to Barclays chief executive Matt Barratt, using the alias of his original name - whatever his skills with codes, the ex-Barclays executive was no whiz at actual criminality - states Barclays' real fear: "Your security needs sorting out. It would not do for the public to know how bad it is." As Browne told the police when he was interviewed: "Sooner or later there will be an almighty cock-up."
Browne maintained that there were "fundamental flaws" in Barclays' card security system. The bank admitted it had scrapped an internal project, on which Browne worked, called Operation Warthog to seal up the cracks.
Some of Browne's criticisms of Barclays' card security operations were confirmed by colleagues and even by the bank's own witnesses. Senior risk assessment executive David Curd admitted when questioned by defence counsel Nicholas Atkinson: "We have identified weaknesses in our procedure." He accepted that the credit cards had been "at risk".
It was perhaps not surprising therefore that Barclays was slow to call in the police in the opinion of those with knowledge of investigating extortion. Despite realsing that the threat to reveal the top secret codes and keys was of the "utmost seriousness", creating the risk of "serious counterfeiting", the police were not alerted until the arrival of the fourth letter, six months after the initial communication. What seems to have triggered this action was the threat to issue a press release broadcasting the security concerns.
Until then, the search for the "blackmailer" and the attempt to assess the security risk had been conducted internally and in secret - at "significant" cost in manpower and resources - without any success. Indeed at one time Barclays paid for a meeting with Browne to discuss security problems four months after he resigned in a huff and two months after the first demand for money.
Browne was identified within ten days by City police detectives as the likely author of the letters and arrested. He eventually confessed to writing the letters saying that the £25 million demand - £1.785 million each to be paid to himself and 13 others to form a team to deal with the problems - had been a joke which he had not expected the bank to take seriously. One of his former colleagues saw it more as a "cry for help". Perhaps from a man more sad than bad.
Having found its "blackmailer", Barclays then began civil proceedings to obtain an injunction against Browne to silence him from disclosing what he knew about the secret 16-digit keys and codes that control the card security system.
It also successfully pressured the crown prosecution service (CPS) into the rare step of having two magistrate court hearings in camera so that none of the evidence could be heard in public. The CPS had initially opposed this demand. The CPS also ensured that Barclays was not identified as the target of the alleged blackmail - again a highly unusual privilege for companies subject to extortion.
Browne entered into a settlement with his former employer in December 2000. From that point on Barclays appeared to some close to the case to lose enthusiasm for a prosecution which publicised Browne's claims about their "sloppy" security. Barclays had been seriously embarrassed by two earlier incidents in which customer Internet account information had leaked during last year.
Sources with knowledge of the prosecution suggested - no doubt incorrectly - that the bank had used the prosecution to ensure a settlement gagging Browne and once that was achieved was prepared to let the matter drop if the trial could not be done quickly and with minimum publicity. CPS officials complained at times about Barclays' attitude and cooperation. At one stage, the then Lord Williams is said to have been consulted.
The CPS, while insisting that the case must go ahead, endeavoured to keep Barclays onside. It insisted on Browne's committal being in secret. It kept Barclays' name out of the indictment until the trial began and the bank had given up the fight for anonymity. It allowed Barclays to effectively hijack the original trial hearing in September by appearing with counsel and demanding that the bank's experts must check the blackmail letters and Browne's interviews with the police to remove any "sensitive information" about the keys and codes.
This last intervention resulted in the trial being delayed two months. The bank's fears could always have been handled by replacing or redacting real keys and codes - as was done for the trial. Even at the seven-day trial Barclays was still represented by a gaggle of barristers and lawyers.
Barclays' shareholders might wonder at the justification for the large legal bill the bank has run up dealing with Graham Browne and endeavouring to keep the background to his case secret. Barclaycard holders might also wonder about the truth of Browne's statement to the police that the bank management "don't care about security".
This commentary was originally published in Private Eye, issue 1041.

Comments: (0)

Comment resources
See all Comment resources »
The millennial mindset

The millennial mindset

Globalisation, demographic change, virtualisation, new technologies - the confluence of these drivers is forcing European banks to adapt rapidly to stay on their game and remain relevant in a world that, five years from now, will demand an entirely new way of doing business.

Thomson Reuters and multimedia

Thomson Reuters and multimedia

Learn how financial services firms are using multimedia.

Sepa - where do we stand?

Sepa - where do we stand?

The European Central Bank's Gertrude Tumpel-Gugerell, outlines the obstacles to the creation of a Single Euro Payments Area at an offsite meeting of the European Payments Council.