Ask HN: I work for consulting firm that's illegally moving bank code to GitHub

A. Shut up now. B. Stop talking about this. C. Shhhh! Shut up! D. Get a lawyer

It sounds like you're a good guy who want to do the right thing. But no one here can fully understand your situation, and it is not smart for you to be discussing this here. Find a lawyer who can give you good advice and protect your interests.

First of all - get a lawyer.

Secondly - get a lawyer.

I don't know what state you're in, but Reddit's /r/AusLaw has a thread[1] which has the various law societies in each state, who can give you advice, and information about community legal centres.

[1] https://www.reddit.com/r/auslaw/comments/1u776a/looking_for_...

Anonymously heads-up the country-level information security officer of the bank in question with a link to the Github repo. CC the country head.

Working on code without security background checking confirmed is an absolute no.

This will completely torpedo your employer, but that might not be so bad if this is their attitude to information security.

Edit: As anonymous as you can. Have a lawyer present. Don't take advice from the internet like it is legal opinion.

If they're refusing to pay you, as mentioned in a comment, get a lawyer. Now.

The lawyer can help you recover your wages AND advise you about the legal implications of both your and the company's handling of the code, and of any action you might take to reveal it.

I am not clear on one important detail: Is the code being pushed to a public or private GitHub repository?

In any case, there are 2 issues:

1. Your employer (the consulting company) does not want to pay you for the work that you have done.

2. Your current assignment involves supposedly illegal activities (putting the customer's (i.e. bank's) code to GitHub) in which you do not want to participate.

In order to resolve issue #1, get a lawyer, analyze your contract and if its terms were indeed broken, sue the company.

In order to resolve issue #2, simply do not do it. Quit the job. If the matter bothers you and you want to stop the supposedly illegal practices from occurring again, talk to the customer (i.e. the bank, not your employer). They must have some means of internal whistleblowing. Find out what it is and how to raise a concern. It should be possible to do it anonymously. As soon as you do it, your part is done. From that point on, it is their responsibility to take the matter further, should they wish to do so.

A word of warning - it's quite straightforward to do a Google search for 'site:github.com {bank_name}' for the large Australian banks, and find a repository that looks like the one you describe.

You might want to contact the HN admins and ask them to completely scrub this entire thread, as it could well get you into trouble.

As a consultant, this is why it is a good idea to have a corporate entity to absorb contractual liability...and why it is a good idea for that corporate entity to have no assets.

Practically speaking, and skipping the 'hire a lawyer' part. It is likely that if there is legal action, it will be directed at the consulting company first and foremost because it is likely to have deeper pockets and be backed by an insurance policy that was acceptable to the bank.

Generally, the insurance company will settle based on its exposure rather than outright liability. These things rarely wind up in court. Which brings me to my second recommendation, have insurance for errors and ommissions.

Good luck.

I would use the consulting company's open door policy and go up the chain... right to the country lead partner and mention this to them in writing. Believe it or not ethics is extremely important to consulting companies as trust and future work depends on this - and bring up any fears of being dismissed for bringing this up to their attention.

I am not a lawyer, but I think we can safely talk about the commercial aspects to this.

1. The bank won't chase you for what you've done. You have nothing the bank wants. The bank's legal team have bigger fish to fry. It's not cost effective for them.

If you want to walk away from this and forget about it, no-one will ever bring it up.

2. Nothing will happen between the bank and the consulting company. If you want to make life interesting, you could send an anonymous tip to the bank's auditors (likely to be Deloitte or KPMG). There will be a slap on the wrist for the consulting company, and they will be forced to put in some kind of better access control. Which they will then bypass unless the auditors come looking.

3. The only issue for you is getting your contract paid out.

If you and the consulting company's contract can be heard in Australia, you could try small claims court. There might be an equivalent in your own country if not. This is cheaper for the litigant and doesn't require legal representation (in Australia). There will be a process to follow (send a letter of final demand, etc. etc.).

I've never had to execute a small claims court case, because just the threat of it is enough to make most companies behave themselves and act like adults and negotiate sensibly.

In your case, the consulting company doesn't want it announced in court that they are violating the security of their customers (and that the reason you couldn't complete the contract was because you didn't want to be complicit in it). That costs them more than paying out your contract. Therefore they will settle before it gets in front of a judge.

But getting there will take weeks and months of heart-ache and stress. Decide whether it's worth it.

Just my $0.10 from 20 years doing consulting work with large enterprises.

"Illegal" how? Against an actual Australian law, or do you think it's against the terms of the master services agreement the bank has with the consulting company. Have you seen that agreement or the specific statement of work they're operating under?

You're doing the right thing, please look out for yourself though!

You're pretty much inviting media in on this now before you're ready.

Delete post, it's a short list here in AU and I know which one of them I'd look at first. Get more legal advice before going any further.

Tricky spot. You need a lawyer to write what's called a letter of demand for the rest of your contract fees. If your consultancy has any sense that should resolve things. Don't contact the bank as that could backfire. Suggest contacting https://www.slatergordon.com.au/dispute-resolution/contract-...

My speculation is you're working for cognizant am I right?

AussieOdyssey

If you're in Sydney and want to have a chat email me edward at flagshiplegal.com.au.

Seems like if you notified one of the higher ups in charge of security at the bank, they would probably take care of it. And maybe you could parlay this into your own consultant agency by being honest and promising to follow the rules and take their security seriously. But definitely consult a lawyer. I have no stake in your future. And free advice is often worth every penny you pay for it.

Firstly you need to take care of yourself. If they are refusing to pay you and you are coming here to make an "anonymous public statement", it is fair to assume that your employer didn't like what they heard or quite simply how they were told. It is important to remain true to your values, raising it with your employer and explain why you are uncomfortable with that would have been my number one suggestion. She/he should be able to understand. It looks like she/he did not, my suggestion would be to raise it to she/he managers and managers manager. Always calmly and respectfully, as most likely there isn't necessarily a malicious intent.

Secondly, if you are really keen to reach out to the bank I'm happy to do it for you as I know quite a few security teams in the major banks. But please do not disclose who you are. Email me at [email protected]

What rights has the bank given to the consulting company regarding the software?

If the bank has stated that the software can't be on github and your company is putting it there then it sounds like a legal trouble between the bank and consulting company with you as the whistleblower, if you decide to lawyer up

Just a clarification that I posted here:

By "public github" I meant code on the internet (from the bank intranet) and accessible to anyone in the consulting company (public as in public network). There are multiple modules and they are moved to github,bitbucket and stash. This also means people without background checks or ANYONE in the organization has access to ALL the code of the bank. In the bank ONLY people in specific departments have access to specific code (As is customary for all IT industry) This in turn means all contractors that git sync have all code on their machines regardless of their access.

The consulting company is not breaking rules just for the sake of it but to speed up development although what they doing is illegal.

Ask a lawyer, also asking programmer for legal advice is like asking doctor for stock advice. They might think they have a good idea of what to do, but 99 times out of 100 that's because they have no effin clue what they're doing.