Politically connected company won $15m government contract despite 'red flags'

Queensland's former state government awarded an ultimately doomed $15 million contract to a politically connected cybersecurity company despite a quiverful of red flags, a taxpayer-funded autopsy of the decision reveals.

The red flags included the winning company, Cryptoloc Holdings, submitting financial records supposedly from an accountant that auditors could not find records of.

And the contract was awarded even after a credit-check agency warned bureaucrats of two adverse events linked to the company's founder, technology evangelist Jamie Wilson.

Queensland-based Cryptoloc Holdings won a state tender to deliver a $15 million cybersecurity program on the eve of the ALP declaring an election in 2024.

But within months, following ABC News reports revealing problems with associated businesses, the contract was in tatters, and the state had tipped Cryptoloc Holdings into liquidation, chasing almost $1.5 million initially paid into the program.

The new LNP government commissioned an audit into what went wrong, and the ABC has exclusively obtained a copy of the audit via Right to Information laws.

Political donations

Cryptoloc Holdings executive chairman Mr Wilson had been an enthusiastic networker; his business sponsored charity parties attended by celebrities including Boyzone singer Ronan Keating, and his enterprise drew adulation from the ALP's former deputy premier Steven Miles and LNP Brisbane Lord Mayor Adrian Schrinner.

Both Mr Wilson and his businesses also lavished more than $320,000 in donations on both sides of politics in the four years prior to the tender, with a large chunk going to the ALP.

The small business department tender was to run a $15 million program helping small and medium-sized businesses adopt cybersecurity measures under the former Miles government.

Thirty-three hopefuls submitted bids to the department.

A department panel then selected Cryptoloc Holdings, which was restructured from the main Cryptoloc group just before the tender, as the preferred supplier. The deal was formalised in a ministerial announcement in September 2024, just before Labor lost the state election.

But the audit, by finance advisory firm Grant Thorton, flagged a series of tender missteps.

In a big red box marked "critical", the auditors listed flaws about assessing the financial information's integrity.

"Financial documents provided by the preferred supplier were unaudited, lacked independent verification and contained multiple red flags, raising concerns about their reliability," the auditors wrote.

'Highly unusual' bank balance

Among problems were Cryptoloc Holdings supplying a three-page PDF document of financial accounts to outsourced credit reporting agency Equifax. Equifax, in a report to the department that gave the bidder a 4.32 score out of 10, put in a disclaimer saying it did not verify the supplied information's accuracy.

The department also had not assessed the completeness of Cryptoloc Holding's financial information, the auditors wrote, and questions surrounded those documents.

The auditors' searches of government registries and three major accountancy organisations could not find the documents' listed accountant, either as a registered tax agent or member of the accountancy organisations.

Also, the profit and loss statement and balance sheet were "presented in a non-standard and unexpected format", the auditors noted.

Cryptoloc Holdings' balance sheet listed having $2.432 million in its bank account in August 2024, prompting the auditors to advise: "For a small Australian business who has accumulated losses to date of $1.133 million, bank account balances of this magnitude are highly unusual."

Equifax's report to the government, meanwhile, had flagged "adverse" findings against two other companies of which Mr Wilson was a director. But "there does not appear to have been any consideration of these 'adverse' findings", the auditors wrote.

In fact, the panel had finalised its supplier recommendation even before receiving Equifax's report. "This indicates that financial stability was not comprehensively evaluated, despite being a key criterion," the auditors wrote.

'Robust' procurement process

The auditors themselves found gaps, with some "key stakeholders" involved in procurement unable to be consulted after transferring to another department.

Bureaucrats vowed that a guideline for assessing financial viability would be developed, including "conducting financial document integrity checks".

Attempts to contact Mr Wilson, who has declared bankruptcy, have been unsuccessful.

He has previously denied to the ABC any wrongdoing and said the company had been performing to the contract's requirements.

Open Data Minister Steven Minnikin's office said questions remained for then-Labor ministers, including current Opposition Leader Steven Miles, about the then-government having signed "a murky deal … despite major red flags".

That included why the value of the program increased and "why was the contract rushed through in the final hours before caretaker period began", it said.

But an opposition spokesman maintained: "Government procurement should always be managed by the department at arms-length away from ministers to ensure contracts are independently awarded as was the case with this matter."

"Departments should have robust processes in place," they said.

Neither the LNP's Mr Minnikin nor the opposition would answer if they thought Cryptoloc-linked donations should be returned.

Equifax declined to comment on specific cases but told the ABC that generally its risk scorecards were "not a forensic financial audit".