Dual-Use Endpoint Failure

 October 31, 2024 at 11:38 AM: Defendant states; “As for accessing Mphasis email, it appears policy (page 10, section r) restricts use on a QBE laptop. While incognito and stateless web sessions are an option, I'm not sure they're permitted under the guidelines.”

October 31, 2024 at 2:31 PM: Defendant states; “Per attached QBE Policy, page 10 section r), it does not look like we are allowed to access third-party emails unless QBE has approved… r) Use unauthorised third-party email services for exchanging business-related messages and information. Only the QBE provided email system or other approved transmission tools may be used for transmitting information and files relevant to QBE’s business;”

Oct 31, 2024 at 2:53 PM: Mphasis HR states, “Since you already got a client laptop, Mphasis IT team will not provide you an Mphasis laptop.”

Oct 31, 2024 at 19:18 PM: Mphasis CIO Office states, “Point mentioned talks about unauthorized email services for transmitting Information and files relevant to QBE’s Business , which is how it should be . You should not try to transmit client data using any other email services.”

Oct 31, 2024 at 2:53 PM: Mphasis CIO Office states, “User can use personal machines for accessing Mphasis web mails over browser or request Mphasis WVDI”

Nov 1, 2024 at 1:19:28  PM: Defendant states; “Team,

I’m encountering errors when trying to access the Mphasis portal from my personal Mac. I've attached screenshots for reference. As per QBE policy (referenced below), I’m unable to use the QBE Windows laptop for this purpose. Baldwinder, could you please advise on steps to access the Mphasis WVDI, as discussed yesterday? I’m grateful for the opportunity to contribute and look forward to resolving this matter. Respectfully, Albert

QBE Policy Reference:

Group Acceptable Use Policy.pdf, page 10

4.8 Prohibited Behavior

Section (r): Use unauthorized third-party email services for exchanging business-related messages and information. Only QBE-approved systems may be used for transmitting sensitive information relevant to our business.

Additional Note:
Accessing third-party systems, including portals or email clients, through web connectors can pose security risks. Based on experience with companies like Walmart, BofA, and others, security incidents are often internal rather than external. 

Nov 1, 2024 at 2:21 PM: Mphasis CIO office states; “Please try it in different browser it should work. Also Jitendra has already clarified on this yesterday. Any further queries on policy please connect with your manager."

Nov 1, 2024 at 4:41 PM: Defendant states; “During a live Zoom session (about 30 minutes ago) with Dilip, his laptop encountered a blue screen error and crashed… Contractors should not be accessing employee portals through QBE-issued laptops and web sessions, even if a network configuration oversight left this access open. In the event of a breach, QBE and regulatory bodies will likely audit all access logs, including web sessions. Attached is a photo taken with my iphone during my session with Dilip."

Nov 12, 2024 at 3:25 PM: Defendant states; “Team,

It’s clear there’s an issue with QBE’s network security when accessing the QBE ServiceNow portal requires using incognito mode. See QBE laptop screen below my name.

Allowing third parties to access internal portals via the QBE network is risky and leaves the door open to potential security breaches. 

Someone should advise QBE that they should seriously consider tightening their network security. For comparison, I’ve never been able to access an employer's portal through networks at JPMC, DoD, Navy, SpaWAR, or Los Alamos Labortories whereas I could at Walmart—and we’re all aware of Walmart’s security challenges.

Respectfully,

Defendant

Ps. Regarding Balwinder's 31 October 2024 19:18 email: 

"If primary operations are on QBE and they have already allocated machine , in such cases we don’t allocate Mphasis machine just to access web email." 

I only access Mphasis emails with my personal Mac laptop.”

Nov 12, 2024 at 4:40 PM: Mphasis HR states; “Mphasis may be considered an authorized party by QBE since they are our client… Please use your client computer (which most employees to do) or your phone.”

Nov 20, 2024 at 11:32 PM: Defendant states; “Accessing Mphasis email on QBE's network violates the QBE Group Acceptable Use Policy (Page 10, Section r). The policy explicitly states "Use unauthorized third-party email services for exchanging business-related messages and information. Only the QBE-provided email system or other approved transmission tools may be used for transmitting information and files relevant to QBE's business.”

Nov 21, 2024 at 4:30 PM Mphasis CIO Office states; “Security Policy – The current working arrangement and usage of QBE laptops is common across all onshore team members. We appreciate you shared your security concerns about QBE, but it is now at the discretion of QBE whether they would like to take it forward”

Dec 17, 2024 at 12:13 PM: Defendant states; “I'm unable to access Mphasis emails from QBE. I previously submitted a request for an Mphasis laptop while using my personal Mac, which I no longer have. Could you please arrange for the same setup as Dean? Please refer to his note below for details. I would appreciate an update on the status of the Mphasis laptop when you have a chance. Thank you!

[December 17, 2024 Dean Forest]

• Defendant 11:52am: Do you have a QBE laptop???
• Dean Forest 11:52am: Yes
• Defendant 11:52am: how do you access Mphasis emails from QBE laptop without downloading the Microsoft authenticator?
• Dean Forest 11:52am: I don’t have my Mphasis emails on my QBE machine. I use my Mphasis laptop for it.
• Defendant Copy
• Dean Forest 11:53am: I can access my Datalytyx emails from my phone etc but Mphasis stuff strictly my Mphasis machine. Which is annoying but I’ve learned to live with having 2 laptops open most days.
• Defendant 11:53am: so you got a Mphasis Laptop and a separate QBE laptop correct?
• Dean Forest 11:54am: Yes My QBE laptop has applications which are native to this machine so even if I long via QRED (VCS session) using my Mphasis laptop I cannot access tools I need just basic stuff like microsoft office.
• Defendant 11:53am: Copy Exactly! Thank you!
• Dean Forest 11:55 AM: no problem"

Dec 18, 2024 at 9:20 AM: Defendant states; “If there is a laptop available at the Mphasis London office, for the next week or two, please advise.”

Dec 18, 2024 at 10:07 AM: Defendant states; “Please see attached whilst scanning QR code; after add account -> Mphasis on QBE machine -> "No unable data found”. Between all of us, I'm glad this error happened because if I was able to connect, that would definitely be a hole. ”

Dec 18, 2024 at 11:52 AM: Mphasis CIO Office states; “Authenticator is required to login to Mphasis machine also. We cannot bypass it , you can configure multiple accounts in authenticator (I had it for client as well as Mphasis when I was supporting client). Please click on add account in authenticator and proceed with scan QR code option . Once your MFA is configured , you should be able to access Mphasis apps using browser.”

Dec 18, 2024 at 2:13 PM: Mphasis CIO Office states; “This looks like it is from a desktop APP, which would make sense. But you can access all the web versions on any machine from Edge/Chrome in Incognito/InPrivate”

Dec 18, 2024 at 6:09 PM: Mphasis CIO Office states; “In your authenticator, do you already see an Mphasis account listed? If so, remove it, and then try scanning again”

Dec 18, 2024 at 6:55 PM: Mphasis CIO Office states; “You are scanning it using camera app , rather than using below steps to scan. In phone open authenticator app - Click on + icon – select work or school account – select scan a QR code option and then scan QR code from laptop screen"

Dec 18, 2024 at 1:27 PM: Defendant states; “It's not working my friend! Please see ‘incognito’ screen shot attached. And it’s a good thing it’s not working!”

Dec 18, 2024 at 2:19 PM: Mphasis CIO Office states; “You can use personal machines, but you will be limited to WEB Version only. This has been an Mphasis CIO/CRO policy for at least 5 years. ONLY Mphasis Domain Joined machines can use Desktop apps, which allow downloading and storing of Mphasis data. Regards, Jared Bulger Senior U.S. Administration Officer"

Dec 18, 2024 at 3:14 PM: Defendant states; “I’m unable to access the Mphasis intranet because it requires the Authenticator app on my phone, which is managed by QBE.”

Disclaimer: Protected Legal Submission

This site contains content directly related to the pending matter Mphasis Corporation v. Defendant, Case No. 25-cv-3175 (JMF), before the United States District Court for the Southern District of New York.

All materials are presented in furtherance of a constitutionally protected and statutorily authorized whistleblower defense. They include sworn declarations, factual assertions, legal arguments, and evidence submitted by the undersigned, appearing pro se.

These disclosures are expressly protected under:

• 18 U.S.C. § 1833(b) – Defend Trade Secrets Act (Whistleblower Immunity)
• 18 U.S.C. § 1514A – Sarbanes-Oxley Act (SOX)
• 15 U.S.C. § 78u-6(h) – Dodd-Frank Act (SEC Whistleblower)
• N.Y. Lab. Law § 740 – New York Whistleblower Protection Law

No information herein was obtained through unauthorized access or improper means. All content is submitted in good faith to expose and document systemic compliance failures and risks to public interest, consistent with applicable law.