Security Experts:

EC-Council Investigating Insider for Embezzlement

In a letter sent to partners, Jay Bavisi, President and CEO of the EC-Council, said that the company responsible for making Certified Ethical Hackers (C|EH) had launched an investigation after one of their own embezzled company funds.

The EC-Council has certified some 60,000 IT professionals globally, with more than 13,000 C|EH holders in North America alone. The notion that one of their own has betrayed them is troubling. 

“EC-Council has commenced an investigation of fraud, embezzlement and grand larceny on certain transactions that were requested by a person that was previously employed with EC-Council,” the letter obtained by SecurityWeek explains.

“The modus operandi of this person was to use ‘personal reasons’ to seek the sympathy of the innocent EC-Council partners with the aim of requesting a personal short term loan due to alleged family emergencies. Other frauds were committed too. The person than fraudulently ‘repaid’ this loan via EC-Council accounts department by passing the transactions as business related.”

SecurityWeek has contacted several people about this letter. From these sources, we now know there were at least two other letters written about the investigation. It’s understood that the issue is being taken very seriously by the organization, and while they didn’t go public with the case, they haven’t attempted to spin it either.

In fact, when the letters were initially sent back in June, PR wasn’t a consideration. They were sent as part of a fact-finding mission. The senior leadership within EC-Council was doing its best to discover others who may have given personal loans to their former employee.

We know that they discovered at least one person who made a personal loan, but when we contacted them for an interview, the potential source requested that they speak to their attorney first. While circumstantial, we understand that it isn’t uncommon for someone who has given a legal deposition to have signed agreements that they remain silent on the nature of the conversation.

As for the nature of the other frauds mentioned in the letter, they remain a mystery.

This is where things get muddled. SecurityWeek asked the individuals we spoke with who they felt was responsible for the acts mentioned in the letter. The same name kept coming up.

Leonard Chin, the former Director of Marketing, Director of Business Development, and Director of Conferences & Events for EC-Council, is the person that stands accused by those who are familiar with the incident.

Mr. Chin is a well-known figure in the Information Security community. His roles within EC-Council led him to launch the Hacker Halted security conference, as well as TakeDown Con. If the allegations are true, this is a harsh blow to the organization.

Previously, EC-Council had to face what Attrition.org called, “a wide variety of criticism coming from both the education and information security professions.” “The company not only runs an extensive certification program, they also operate a virtual university. This has not stopped them from taking shortcuts usually reserved for students, by plagiarizing content from other sources and including it in their commercial offerings.” 

So far though, when it comes to Mr. Chin’s role in the incident, all there is to go by is circumstance – and a lot of it.

Mr. Bavisi would neither confirm nor deny that Mr. Chin was responsible for the embezzlement, but he did confirm that he no longer works for the organization, and that “the matter is now in the hands of authorities in more than one country.”

This statement is telling, as two of the people we spoke with noted that Chin had been arrested recently in Singapore. A third person noted that he has had previous problems with the law for related incidents. However, privacy laws within Singapore prevent outsiders from researching arrest records and court documents over the phone, so we were unable to confirm this information for ourselves.

Since June, around the time the internal investigation started to heat up at the EC-Council, Mr. Chin’s online identity started to change. His Twitter feed went silent. A once full and detailed LinkedIn profile was removed. Moreover, attempts to reach Mr. Chin via phone and personal email turned into a virtual dead-end.

SecurityWeek also contacted Secure Ninja, the training firm where Mr. Chin went to work following his employment with the EC-Council. Senior management at Secure Ninja would not explain the circumstances as to why, but they did inform us that he no longer works for the company. Chin only started working there in February, 2012.

As mentioned, everything pointing to Mr. Chin is circumstantial, and we’re still digging. We’ll follow-up with details as we get them.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.