Whistleblower Statement: Retaliation, Endpoint Risk, and Systemic Governance Failure
Albert Rojas, Pro Se Defendant
Mphasis Corp. v. Rojas, Case No. 1:25-cv-03175-JMF (S.D.N.Y.)

This publication is issued under the whistleblower protections of 18 U.S.C. § 1833(b) (Defend Trade Secrets Act), Sarbanes-Oxley, Dodd-Frank, New York Labor Law § 740, and other applicable laws.

This case is not about trade secrets. It is about retaliation, infrastructure negligence, and executive attempts to suppress audit exposure by targeting the employee who documented it.

Mphasis never issued me a company laptop. Instead, I was expressly instructed to use a QBE-issued device—a dual-purpose endpoint that connected simultaneously to both QBE and Mphasis systems. This violated core principles of endpoint isolation, zero trust architecture, and cybersecurity hygiene.

In November 2024, I raised internal warnings about this reckless configuration, citing:

• Unmanaged endpoints
• Offshore access points
• Regulatory exposure from dual-use hardware
   

My warnings were ignored.

By November 2024, I formally escalated the risks through protected whistleblower channels, explicitly stating that QBE’s enforcement failures and infrastructure drift would lead to a breach.

That breach occurred months later—exactly as I warned.

Instead of remediating the risks I documented, Mphasis terminated my employment and—coordinating with QBE—filed a retaliatory lawsuit to silence those disclosures.

QBE then lost custody of the laptop for over five months. This device held:

• Personally identifiable information (PII)
• Protected health information (PHI)
• Financial records
• Persistent access to QBE’s production environment
   

Only after court intervention did QBE initiate a return—but failed to provide me, the lawful holder, any QR code, tracking protocol, or chain-of-custody process.

Instead, QBE Senior Counsel Julie Anderson sent the return label to a random executive—Erik Todd, VP of IT—at 55 Water Street.
No global financial institution routes return of a regulated, credential-bound asset to an executive’s desk.

QBE’s own internal directive on December 22, 2024, was unambiguous:

“You have to drop off the laptop in the office you picked it from. These are leased equipment.”
– Palavesam Chandrasekar, QBE
 

Yet this directive was ignored. The return was routed outside all secure recovery channels—bypassing the assigned custodian, destroying verifiability, and exposing a total failure of basic asset governance.

That single act reflects more than poor judgment:

• It violated HIPAA § 164.310(d)(1) (Device and Media Controls)
• It contravened NIST SP 800-53 CM-8 (Component Inventory) and MP-6 (Media Sanitization)
• It breached ISO/IEC 27001:2022 (Annex A.8.1 - Asset Management)
   

This failure undermines QBE’s false narrative that its March 2024 healthcare breach was due to “aggressive external hacking.” The true cause was internal mismanagement, predictable and preventable.

Had I not escalated the return myself and documented the incident at QBE.world, the device—and the risk trail it exposed—would have disappeared without trace.

While I was abroad in London, Mphasis’s attorney Kimberly Karseboom (Ogletree Deakins) hired Brad Kelly, a private investigator who attempted unauthorized entry into my New York residence—with no court order, no notice, and no lawful basis.

Legal action.

 The March 2024 QBE healthcare data breach was not caused by external cyber intrusion, but by internal governance breakdowns—precisely the same endpoint and oversight failures I reported. QBE’s ongoing refusal to provide a veridiable digital chain of custody, reliance on physical-only delivery methods, and unwillingness to communicate electronically about this return mirror those systemic dediciencies.

Additionally, QBE and Mphasis operate under layered offshore structures. QBE’s infrastructure is ultimately managed outside the United States, and Mphasis is a subsidiary of an Indian multinational. These cross-border frameworks appear designed not for efdiciency, but to obscure accountability from U.S. courts, regulators, and affected individuals.

Returning the laptop under these conditions does not waive any legal claims. Rather, it evidences—factually and procedurally—the same systemic governance failures that continue to endanger regulated data and operational integrity.

I declare under penalty of perjury that the foregoing is true and correct.

Executed on: May 10, 2025 Location: New York, New York

This was not due diligence. It was retaliation disguised as legal process—a coordinated act of intimidation to obstruct protected whistleblower disclosures.

On May 10, 2025, I submitted a sworn declaration under penalty of perjury (28 U.S.C. § 1746), confirming:

• The laptop’s leasing records 
• Serial metadata 
• Direct assignment to me 
• Lack of provisioning by Mphasis
   

This was not a shared or anonymous asset. It was a traceable, production-bound endpoint under QBE’s administrative control.

The QBE 2024 breach was not a cyberattack. It was corporate malpractice:

• No tracking of endpoint inventory
• No enforcement of access policies
• Offshore sprawl with no compliance guardrails
   

Despite having no evidence I accessed Mphasis infrastructure, because they never issued me a device, Mphasis retained Ogletree Deakins to pursue a knowingly false narrative.

This lawsuit does not protect trade secrets. It serves to:

• Obscure internal control failures
• Shield QBE from March 2024 breach scrutiny
• Weaponize litigation to punish dissent
   

If the Court considers adverse inference for my refusal to surrender my personal laptop, let me be clear:

“Any adverse inference is incompatible with the Plaintiff’s own record.
Mphasis never provisioned me a domain-bound device.
If they now allege I accessed proprietary systems using a non-domain, non-credentialed endpoint, it confirms their own infrastructure was unsecurable—and ripe for regulatory audit.”

Even the Court appears uncertain about Plaintiff’s shifting litigation posture:

“The request for ‘search parameters’ and ‘keyword guardrails’ is also unnecessary because the only process taking place tomorrow is forensic imaging, not a search.”
— U.S. District Court, SDNY (Dkt. No. [insert actual number if known])

This lack of clarity underscores the Plaintiff’s attempt to blur lines between lawful discovery and overreach—weaponizing forensic imaging without defined scope, protocol, or any legitimate basis tied to a provisioned asset.
 

This is not a trade secrets dispute. It is a retaliation case, built to punish a whistleblower and distract from systemic governance failures.

In this theater:

• Mphasis plays the victim
• I am cast as the villain
• The Court is asked to validate a false script
   

I reject that script—and I reject the attempt to erase the truth.

Mphasis failed to issue me a work device.
QBE directed me to use a dual-access laptop.
That setup breached:

• NIST SP 800-53
• ISO/IEC 27001
• HIPAA § 164.308(a)(1)
   

I reported the vulnerabilities.
I withheld my personal device to protect constitutional rights.
And I backed everything with timestamped, verifiable evidence.

Let’s be blunt: Mphasis only brought me in because QBE requested me by name.
The enhancements I delivered are documented and remain visible in this technical walkthrough:
🔗 https://www.youtube.com/watch?v=QulAEmBGEec

“If I could exfiltrate trade secrets without access, credentials, or a provisioned laptop—then Mphasis wasn’t the victim of theft.
It was the architect of its own vulnerability.”
 

All supporting evidence is archived at:
🔗 https://Mphasis.cloud
🔗 https://QBE.world

I will not be silenced.
I will continue to lawfully defend my name, data integrity, and the public’s right to the truth.

— Albert Rojas, Pro Se Defendant
✉️ albert.rojas@qbe.world

The Real Breach: QBE’s Endpoint Negligence

This is not a trade secrets case. It is a retaliatory cover-up of a whistleblower disclosure, launched to conceal:
• QBE’s reckless provisioning of dual-endpoint laptops (used concurrently for QBE and Mphasis access);
• QBE’s failure to secure or audit that device post-termination, leaving it active and unattended for five months;
• QBE’s misrepresentation of the 2024 healthcare data breach as an “external hack,” when in fact it was caused by grossly negligent internal IT governance—which I disclosed to QBE leadership in October 2023.

Moreover, the QBE-issued laptop—left fully operational for over five months with active enterprise credentials and protected health data—constituted a latent threat to regulated infrastructure, akin to leaving a loaded handgun in a public hallway. That device was provisioned without safeguards, abandoned without retrieval protocol, and never audited by QBE or Mphasis until this litigation.

To avoid triggering regulatory audits or breach disclosure obligations, Mphasis engaged outside counsel, who then employed a private investigator in an extrajudicial attempt to retrieve the device directly from my residence. This covert maneuver was not a good-faith recovery effort—it was a desperate act of concealment. The laptop’s chain-of-custody and content, now part of the evidentiary record, prove that both QBE and Mphasis prioritized reputational containment over statutory compliance.

These facts, supported by my sworn declarations and the court-ordered return timeline, underscore that the 2024 QBE healthcare data breach was not caused by external actors. It was caused by systemic governance failures, unmanaged endpoint architecture, and willful retaliation against an employee who reported it.

I raised these issues formally—through internal channels and directly with legal and compliance stakeholders. The warnings went unheeded. Instead, I was terminated abroad, without ever being provided a proper return protocol for the QBE device. The same unmanaged device was later cited as part of the breach vector.

Outsourcing Without Oversight:
QBE partners with Indian offshore vendors that routinely operate with elevated privileges, zero physical verification, and a culture of "make it work, no questions asked." The breached data was never properly protected because it was never properly governed. Leased machines, shipped across borders, were never audited. Virtual sessions with sensitive U.S. healthcare data were accessed from remote regions where HIPAA and U.S. cyberlaw have no practical reach.

The Data Exposed:
This breach affected data that included:

• Protected Health Information (PHI)
• Personally Identifiable Information (PII)
• Financial transaction data tied to HSA, FSA, and COBRA accounts
• Employee IDs, birthdates, and Social Security numbers