
Ask HN: I work for consulting firm that's illegally moving bank code to GitHub - AussieOdyssey
A big bank in Australia has outsourced its work to my consulting company and when I started work at this bank (One of the biggest in Australia) I noticed that my consulting company is illegally uploading bank software to github.<p>They do this because each consultant needs to have background verified by the bank security advisors which takes around 2-6 weeks and moving all the software to github allows all consultants to start working immediately (without waiting for background check to complete).<p>I pushed my code to github without my knowledge the first day and brought this matter to my higher ups in my company but they threatened to take me off the project if I &quot;impeded the workflow of the team&quot;.<p>Now, my rest of the contract fees hasn&#x27;t been paid out.<p>A software lawyer said I could be implicit in this activity (which he says is NOT criminal but civil liability) because I pushed my code to the company github on internet (Regardless of my intent or ignorance)<p>I am an independent contractor with the consulting company. The Financial Ombudsman said I do not qualify for lodging a complaint since I am not  &quot;technically an employee&quot;<p>What&#x27;s the way out? And will I be in legal trouble if I lawyer up?
======
steve_g
A. Shut up now. B. Stop talking about this. C. Shhhh! Shut up! D. Get a lawyer

It sounds like you're a good guy who want to do the right thing. But no one
here can fully understand your situation, and it is not smart for you to be
discussing this here. Find a lawyer who can give you good advice and protect
your interests.

~~~
AussieOdyssey
>It sounds like you're a good guy who want to do the right thing

As much as I sound like I am trying to do the right thing all I am doing is
avoid going to jail by doing illegal things and earning to feed my family

~~~
i336_
I don't want to (a) duplicate work and (b) misstep so I'm asking first - would
you like me to ask in /r/AusLaw about this whole thing? I don't think there's
much difference between me and you asking; just trying to be helpful.

EDIT: I'm leaving this comment here, but I just learned that /r/AusLaw does
not provide legal advice under any circumstances. Asking them would likely get
you the same "find a lawyer" advice you've gotten here.

~~~
AussieOdyssey
Thank you for being helpful. I really appreciate it. I did checkout /r/auslaw
and noticed that do not provide any legal advice under any circumstances.

~~~
i336_
I'm very curious about whether you've made any progress in figuring out how to
resolve this yet. Primarily for your sake, and also because of the side effect
that this is an excellent learning opportunity for others.

I noticed your response to the person who provided the anonymized email
address. Hopefully that proves helpful!

One request: it would be really awesome if you could provide an update when
this has all blown over (which I realize might be months from now - although I
hope the $ side gets resolved way before then!).

On the one hand bumping old threads doesn't surface them again, on the other
hand I'd say it would be a 50/50 chance whether an update post would ever
actually reach the front page on here. Somewhere on Reddit might be a better
idea, but I'm not (yet) quite sure where would be a good practical, relevant
and high-visibility spot to put it.

~~~
AussieOdyssey
No progress at all. I am about to give up and start looking for new contract.

Consulting company: Does NOT want to talk about it at all.

Bank: They were shocked by the news but since I am not their employee they
can't reveal their decisions to me. I think they don't want to rock their boat
and the consulting firm is major part of their IT division.

Ombudsman: I am technically not an employee. They want to help me but
consulting firm refuses to communicate

Lawyers: Understable that they don't want to get involved unless I pay fees
(It's like asking me to take a look at perl code for free). Too expensive and
risk that I could be counter-sued. Plus it could potentially be criminal
liability (With bank code and even customer data used for UAT on the
internet).

~~~
i336_
Ugh. I've been staring at your post for a while wondering about solutions.

I wish there was some way to turn this situation into the bank thanking you
with some kind of consideration.

At least it's good to hear that the bank now knows about it, although that
doesn't really solve your situation.

I take it that fees are a problem because the contract payouts were stopped,
more or less? (As infuriating as that type of situation is) For example I know
of one lawyer in NSW who takes computer-related work - for mid-range three
figures :/ (that said, would this be interesting to you?)

It sounds to me like it would be a very good idea for you to get a concrete,
unambiguous idea (ie sit down and work it out with someone) of where you sit
in terms of civil liability, relative to your total and utter ignorance (for
example, what's the difference between (a) signing up for this contract, (b)
walking into the building for the day and (c) committing the code? IANAL (!!!)
but I reckon the argument of intent is equally weak with all examples). It's
possible you may be less vulnerable than surface/kneejerk intuition might
suggest - but of course I could be wrong. (I have absolutely no idea.)

Besides making it clear to the lawyers about the _immediate /current_
liquidity situation, the bank and ombudsman don't seem completely against you,
and I wonder how far you could go with that.

I assume you've reiterated _all_ of the context (without unnecessary details,
unless that's okay) with the Ombudsman, to see what ideas they might be able
to come up with.

With the bank, you've probably scored a few points with the security and
related folks there. If the consulting firm is integrated into the bank then
that might point to systemic breakdown elsewhere, but on the other hand, their
silence could simply be professionalism on their part while they mete out
corporate knuckle sandwiches. (Or I could be being ridiculously optimistic.)
Maybe you could chase them down and see if they'd be interested in having you
on board; worst (ish) case is that you find more of this kind of thing and get
even _more_ points. Something to keep in mind.

Finally, have you tried Legal Aid? They're not lawyers per se, but they may be
able to give you a bit of a foundation to headscratch through this with. I
would definitely call them. (It's only 3PM!)

As a last resort another contract may turn out to be necessary, and I hope
that works out if it comes to that. But don't completely give up, even after
that point - you refused to do work that could legally compromise you because
it violates corporate policy and standard security access controls, due to the
craziness and laziness of others. You should still receive your contract
payout.

lol at the perl code bit :)

If you want to get in touch, my email is in my profile, and the username
you've picked isn't taken on Gmail yet FWIW; there's really nothing
interesting Gmail can leak. Just use a fake name/birthday for the associated
G+ account that will get created.

~~~
AussieOdyssey
Unfortunately there are no solutions. The consulting firm is too firmly
entrenched within the bank and the bank cannot make any decision without
harming themselves. I have resigned and I will post an update on HN soon.

~~~
i336_
Wow.

For what it's worth, thanks very much for the concise headsup.

I think I can safely assume you'll provide a good idea of your experience in
that update!

I'd really appreciate a link to it when you post it - I don't want to miss it.

------
will_hughes
First of all - get a lawyer.

Secondly - get a lawyer.

I don't know what state you're in, but Reddit's /r/AusLaw has a thread[1]
which has the various law societies in each state, who can give you advice,
and information about community legal centres.

[1]
[https://www.reddit.com/r/auslaw/comments/1u776a/looking_for_...](https://www.reddit.com/r/auslaw/comments/1u776a/looking_for_legal_advice_australian_legal/)

~~~
raleighm
Multiple forms of bad behavior here: working w/out clearance; making
confidential code publicly available; conditioning payment on
illegal/unethical conduct.

Definitely a lawyer - a new one, since if you were satisfied with the first
one you wouldn't need to come to HN.

Some questions to ask the new lawyer:

\- Under applicable law, would you prevail in court to get your fees if you
could only fully "perform" your obligations to contractor's satisfaction if
you violated law? I'd expect answer to be yes, which could be noted to
contractor's in-house counsel.

\- Under applicable law, in your situation, if the contractor continues to sit
on the complaint without action, is there any possible argument that you would
be required to escalate to the bank or a regulator? That's critical info for
your own protection and also could inform what your lawyer says to
contractor's in-house counsel, if you go that route.

------
zhte415
Anonymously heads-up the country-level information security officer of the
bank in question with a link to the Github repo. CC the country head.

Working on code without security background checking confirmed is an absolute
no.

This will completely torpedo your employer, but that might not be so bad if
this is their attitude to information security.

Edit: As anonymous as you can. Have a lawyer present. Don't take advice from
the internet like it is legal opinion.

~~~
AussieOdyssey
The consultant is running wireless hotspots to copy the software. All I want
is the contract money they agreed to pay me for this project. They froze the
payment because I complained about this, at best unethical, behaviour.

~~~
evgen
You will need a lawyer to determine your own liability here, to determine the
best path to report this to the bank, and to check your contract to see how
you can force the payment to be delivered. Save any and all communication
between you and the contracting firm, ideally on a device that they do not
control, and don't communicate in any way that can't be recorded for your own
protection.

Once things reach this stage you need a lawyer

------
cauterized
If they're refusing to pay you, as mentioned in a comment, get a lawyer. Now.

The lawyer can help you recover your wages AND advise you about the legal
implications of both your and the company's handling of the code, and of any
action you might take to reveal it.

------
pbasista
I am not clear on one important detail: Is the code being pushed to a public
or private GitHub repository?

In any case, there are 2 issues:

1\. Your employer (the consulting company) does not want to pay you for the
work that you have done.

2\. Your current assignment involves supposedly illegal activities (putting
the customer's (i.e. bank's) code to GitHub) in which you do not want to
participate.

In order to resolve issue #1, get a lawyer, analyze your contract and if its
terms were indeed broken, sue the company.

In order to resolve issue #2, simply do not do it. Quit the job. If the matter
bothers you and you want to stop the supposedly illegal practices from
occurring again, talk to the customer (i.e. the bank, _not_ your employer).
They must have some means of internal whistleblowing. Find out what it is and
how to raise a concern. It should be possible to do it anonymously. As soon as
you do it, your part is done. From that point on, it is their responsibility
to take the matter further, should they wish to do so.

~~~
AussieOdyssey
1\. Theoretically I am the asshole. I refused to push the code to github and
the company refused to pay me.

2\. Yes, I refused to do it until proper channels were established but I ended
up looking like a sore thumb when other employees didn't mind pushing/pulling
from github.com via wifi hotspots.

I can talk to the bank, I can quit the job but the bottom line is that I will
be without any cash inflow. My lawyer said that the consulting company is one
of the biggest one and they will make sure that I don't have another job
(Which is kind of true because of reference checks)

~~~
pbasista
You did not answer the question.

And how exactly can your past employer "make sure" that you do not have
another job? I do not get your remark about the references check.

If your potential future employer will be interested in references from your
past employers and if they find out something which raises concerns, they
should want to hear your side of the story as well. You will get every chance
to explain what exactly happened and why you acted as you did. If they do not
like it, you probably would not want to work for them anyway.

In any case, do not get intimidated and do not worry too much about the loss
of income. It will be temporary. You have all the freedom to choose your next
employer. Do so wisely.

------
warninger
A word of warning - it's quite straightforward to do a Google search for
'site:github.com {bank_name}' for the large Australian banks, and find a
repository that looks like the one you describe.

You might want to contact the HN admins and ask them to completely scrub this
entire thread, as it could well get you into trouble.

~~~
dr_win
I don't get your comment. Assuming we are not talking about public repos here.
OP's employer did set up a private github repo where contractors collaborate
on bank's code. This cannot be searched by google. The problem OP has is that
the code should not be hosted outside bank's own infrastructure and
contractors should not have access before they pass background checks.
According to my understanding.

~~~
vickfoo
it's a public repo

[https://news.ycombinator.com/item?id=13679334](https://news.ycombinator.com/item?id=13679334)

~~~
viraptor
No. They said it's on the public GitHub, as opposed to private GitHub
enterprise installation. Not that the repo itself is public.

~~~
AussieOdyssey
This is correct. It's a "public github" as in it's on *.github.com with access
to all employees of the consulting company regardless of the background check
(That's the whole idea of them moving to their github repo)

~~~
i336_
I think there's a small misunderstanding here that I'd like to clear up
explicitly.

Public GitHub repos are viewable by anyone with or without an account. You can
view and clone the repo if you know the correct URL.

Private GitHub repos are only accessible to those given access.

Within the scope of this terminology, my understanding is that this repo is
private. I think I'm right based on
[https://news.ycombinator.com/item?id=13682657](https://news.ycombinator.com/item?id=13682657)
and
[https://news.ycombinator.com/item?id=13682501](https://news.ycombinator.com/item?id=13682501).
Am I right?

Within the scope of corporate security, I understand that the code is being
moved out of the local intranet onto a non-corporate-managed Web service.
However, GitHub manage private repos for some fairly high-level groups (or at
least I assume they do), so their data protection policies are clearly very
decent. (I at least know that individual floors on the building are keycarded,
which is nice. I learned this from a story posted here by a guy who got
fired.) So, even though this is an impressive level of stupid, I'm relieved
that no leaking can/will happen (particularly for your sake now you've posted
this here).

OP, please note that several people have reached out to you from top-level
comments. If you could add a new comment listing an email address (IANAL but a
new gmail one would probably be okay), or even better yet put it in your
profile, that would probably result in some nice leads for you.

~~~
AussieOdyssey
> I understand that the code is being moved out of the local intranet onto a
> non-corporate-managed Web service

Spot on and this is what I meant. By "public github" I meant code on the
internet but accessible to anyone in the consulting company. There are
multiple modules and they are moved to github,bitbucket and stash.

This also means people without background checks or ANYONE in the organization
has access to ALL the code of the bank. In the bank ONLY people in specific
departments have access to specific code (As is customary for all IT industry)

I am not trying to be a whistle-blower and mr goody two shoes. I am very angry
that my refusal to upload code to the internet is resulting in non-payment of
fees and threats that I will never get a contract in this city. And as an
independent contractor I am truly terrified of uploading bank code to the
internet; I don't want to end up in jail for stupid reasons.

~~~
i336_
Gotcha.

Hmm, so this is violating standard access controls. I can appreciate your
freaked-out-ness...

I understand you're not trying to make a scene (especially considering the
circumstances!) and are simply trying to resolve what is effectively a
legally-tangled paycheck bug.

Have you made any practical headway with figuring out how to resolve this?
[https://news.ycombinator.com/item?id=13682560](https://news.ycombinator.com/item?id=13682560)
looks interesting, and
[https://news.ycombinator.com/item?id=13682806](https://news.ycombinator.com/item?id=13682806)
sounds helpful also.

PS. FWIW, I'm in Sydney myself :) although I'm not working at the moment.

------
brudgers
As a consultant, this is why it is a good idea to have a corporate entity to
absorb contractual liability...and why it is a good idea for that corporate
entity to have no assets.

Practically speaking, and skipping the 'hire a lawyer' part. It is likely that
if there is legal action, it will be directed at the consulting company first
and foremost because it is likely to have deeper pockets and be backed by an
insurance policy that was acceptable to the bank.

Generally, the insurance company will settle based on its exposure rather than
outright liability. These things rarely wind up in court. Which brings me to
my second recommendation, have insurance for errors and ommissions.

Good luck.

~~~
AussieOdyssey
Yes, what you are saying is true and that is indeed how I have worked in
financial industries. I have my own ACN (C-Corp) consulting company with
Indemnity/Liability insurance through which I work.

However this muddies up as I consult to a consulting company which in turn
consults to the bank. I was informed by the Ombudsman that this was a common
way to work in Silicon Valley and US has laws that clarifies it however
Australia has not updated the laws regarding this "double employment"

~~~
brudgers
Thanks. I tried to avoid getting too specific since I knew Australian law
would be different, i.e. in the US the normal form of protection would be an
LLC or an S-corp (tax pass through closely held entity) and a consulting firm
in the US would very rarely be a C-corp (taxable income at both corporate and
individual levels).

What employment means is also different. A person consulting to a consulting
company that consults to a bank would have no employment relationship with
either the bank or its direct consultant. The person might have an employment
relationship with their own company that was contracted to the bank's direct
consultant.

All of which _ought_ to be governed by contracts...which I failed to mention,
but I'd not be surprised it they were in play here.

~~~
AussieOdyssey
Off topic: It would be good to have C-Corp and be taxable at both corporate
and individual levels because companies pay a flat tax while individuals are
tiered. This way we can choose our salary and leave the rest in company.

This however severely complicates cases like mine which has three pass-thru
contracts

~~~
brudgers
In the US, there is a cap on the wages to which social security tax applies.
That tax amounts to approximately 15.5% of gross salary when the company
portion and the individual portion are combined, the effective tax rate for an
individual is much less progressive than portrayed in popular political
opinion. It is also the case that control of a C-corp offers much less
personal liquidity than is possible with an LLC. In addition, the layer of
complexity for a C-Corp is likely to require more meaningful (from an
individual perspective) expenses on legal and accounting services.

All things being equal, it makes sense to optimize on taxes. Most of the time,
all things aren't equal.

------
vinodralh
I would use the consulting company's open door policy and go up the chain...
right to the country lead partner and mention this to them in writing. Believe
it or not ethics is extremely important to consulting companies as trust and
future work depends on this - and bring up any fears of being dismissed for
bringing this up to their attention.

~~~
AussieOdyssey
>consulting company's open door policy

Just a heads up (regardless of my case):

Company open door policy exists to protect the company. Even the HR is there
to protect the company. Even in US, whistle-blowing or rocking the boat will
result you in being fired faster than you can say Oklahoma backwards.

------
solresol
I am not a lawyer, but I think we can safely talk about the commercial aspects
to this.

1\. The bank won't chase you for what you've done. You have nothing the bank
wants. The bank's legal team have bigger fish to fry. It's not cost effective
for them.

If you want to walk away from this and forget about it, no-one will ever bring
it up.

2\. Nothing will happen between the bank and the consulting company. If you
want to make life interesting, you could send an anonymous tip to the bank's
auditors (likely to be Deloitte or KPMG). There will be a slap on the wrist
for the consulting company, and they will be forced to put in some kind of
better access control. Which they will then bypass unless the auditors come
looking.

3\. The only issue for you is getting your contract paid out.

If you and the consulting company's contract can be heard in Australia, you
could try small claims court. There might be an equivalent in your own country
if not. This is cheaper for the litigant and doesn't require legal
representation (in Australia). There will be a process to follow (send a
letter of final demand, etc. etc.).

I've never had to execute a small claims court case, because just the threat
of it is enough to make most companies behave themselves and act like adults
and negotiate sensibly.

In your case, the consulting company doesn't want it announced in court that
they are violating the security of their customers (and that the reason you
couldn't complete the contract was because you didn't want to be complicit in
it). That costs them more than paying out your contract. Therefore they will
settle before it gets in front of a judge.

But getting there will take weeks and months of heart-ache and stress. Decide
whether it's worth it.

Just my $0.10 from 20 years doing consulting work with large enterprises.

------
scrumper
"Illegal" how? Against an actual Australian law, or do you think it's against
the terms of the master services agreement the bank has with the consulting
company. Have you seen that agreement or the specific statement of work
they're operating under?

~~~
AussieOdyssey
I have worked in Financial sector for a long time and know that copying bank
software illegally is criminal in US and probably civil in Australia.

I program for the bank via the consulting company and my code is on the
internet. Plus my contract is frozen with fees until I withdraw my complaint
to IT of my consulting company.

Not sure who to talk to in the bank. HR said I have to resolve with my
consulting company but I am pretty sure the HR doesn't understand the
implication of copying software

~~~
tluyben2
Is the illegal part generic for any software because of copyright and
licensing or is it specific for banks? If the latter, what are those laws
based on? Why is it not the same as any software for any private company?

------
sdwisely
You're doing the right thing, please look out for yourself though!

You're pretty much inviting media in on this now before you're ready.

Delete post, it's a short list here in AU and I know which one of them I'd
look at first. Get more legal advice before going any further.

------
bentoner
Tricky spot. You need a lawyer to write what's called a letter of demand for
the rest of your contract fees. If your consultancy has any sense that should
resolve things. Don't contact the bank as that could backfire. Suggest
contacting [https://www.slatergordon.com.au/dispute-
resolution/contract-...](https://www.slatergordon.com.au/dispute-
resolution/contract-and-debt-recovery)

------
hubatrix
My speculation is you're working for cognizant am I right?

~~~
i336_
I'm not seeing any GitHub organizations in Australia with that name...

------
eelliott
AussieOdyssey

If you're in Sydney and want to have a chat email me edward at
flagshiplegal.com.au.

------
CodeWriter23
Seems like if you notified one of the higher ups in charge of security at the
bank, they would probably take care of it. And maybe you could parlay this
into your own consultant agency by being honest and promising to follow the
rules and take their security seriously. But definitely consult a lawyer. I
have no stake in your future. And free advice is often worth every penny you
pay for it.

------
jmho
Firstly you need to take care of yourself. If they are refusing to pay you and
you are coming here to make an "anonymous public statement", it is fair to
assume that your employer didn't like what they heard or quite simply how they
were told. It is important to remain true to your values, raising it with your
employer and explain why you are uncomfortable with that would have been my
number one suggestion. She/he should be able to understand. It looks like
she/he did not, my suggestion would be to raise it to she/he managers and
managers manager. Always calmly and respectfully, as most likely there isn't
necessarily a malicious intent.

Secondly, if you are really keen to reach out to the bank I'm happy to do it
for you as I know quite a few security teams in the major banks. But please do
not disclose who you are. Email me at
6lh008+1lhx68glu7jh83h8r9pxo7ad9wc8uao@pokemail.net

~~~
AussieOdyssey
Thank you for the polite response. I did speak to the consulting company HR
and their response was extremely rude with them going as far as saying they
will make sure I never get a contract with anyone else in "(this city)"

The federal ombudsman offered to mediate the issue but they flat out refused
to talk to either the ombudsman or me and the ombudsman has no power to force
them (as they are technically not my "employer")

I am sending you an email

~~~
i336_
Hi. I think this comment shows up at the top of your user comment page so I'm
adding this here.

I understand that things didn't work out but I'm very curious to find out what
direction you went. An update would be hugely appreciated :)

------
paktek123
What rights has the bank given to the consulting company regarding the
software?

If the bank has stated that the software can't be on github and your company
is putting it there then it sounds like a legal trouble between the bank and
consulting company with you as the whistleblower, if you decide to lawyer up

~~~
AussieOdyssey
There are strict security in place to prevent any "leaks" of software which
means all USB ports are disabled in company devices, the company network has
disable git/github/bitbucket and our security manual explicitly states that
the code cannot leave the intranet.

The consultant bypasses this by running wireless hotspots

~~~
viraptor
Talk to a lawyer. Especially because you're asking about Oz advice on a
primarily us site, so common understanding of the law may be different. And
whatever you do, consider if you can afford getting both fired and sued right
now - even if people tell you you're right.

Also I'm assuming that's 100% the public GitHub service and not an on-site, or
specially negotiated GitHub enterprise system?

~~~
AussieOdyssey
100% public github because they want to give access to new employees who do
not have access to enterprise system.

~~~
contravariant
Please tell me you're not saying they're using a public repository (one
reachable to anyone, even people not logged in to GitHub).

~~~
AussieOdyssey
Sorry, that's not what I meant. I mean *.github.com and NOT an enterprise
level private repository.

If you go to the company's public github & bitbucket profile you cannot see
the project but you can see all the devs and all these devs have access to the
code.

The logic is: All the employees are able to work with minimal delay (caused by
background checks)

~~~
contravariant
Thanks for clarifying. It appears some other people in this thread ran to
conclusions. Although the situation is still bad, just not immediately
disastrous.

------
AussieOdyssey
Just a clarification that I posted here:

By "public github" I meant code on the internet (from the bank intranet) and
accessible to anyone in the consulting company (public as in public network).
There are multiple modules and they are moved to github,bitbucket and stash.
This also means people without background checks or ANYONE in the organization
has access to ALL the code of the bank. In the bank ONLY people in specific
departments have access to specific code (As is customary for all IT industry)
This in turn means all contractors that git sync have all code on their
machines regardless of their access.

The consulting company is not breaking rules just for the sake of it but to
speed up development although what they doing is illegal.

~~~
detaro
> _although what they doing is illegal_

I can't add much to help you, but I'd be interested what laws requiring
background checks for this look like, could you tell me where I can find more
about that? (I would have expected this to be "just" a contractual requirement
between the bank and your employer)

------
vorotato
Ask a lawyer, also asking programmer for legal advice is like asking doctor
for stock advice. They might think they have a good idea of what to do, but 99
times out of 100 that's because they have no effin clue what they're doing.

------
bdavisx
If I were you I wouldn't worry about doing anything about the code being on
Github. You need a lawyer to get the money you're owed, and then find another
job.

As far as the bank goes: this is what they get when they outsource their work
to an unscrupulous company. The company you're working for likely cheats both
ways - don't expect to be treated any better in the future. They probably
screw a lot of their employees over. They seem to have no issue doing illegal
things. You don't want to be working for a company like this.

------
thrwaway989
_Now, my rest of the contract fees hasn 't been paid out.

A software lawyer said I could be implicit in this activity ...

...

What's the way out? And will I be in legal trouble if I lawyer up?_

I'm not sure why you are asking for advice on Hacker News if you've already
spoken to a lawyer. Has the lawyer advised you to lawyer up?

There's nothing wrong with whistleblowing, or even venting on HN if you feel
you were robbed by the consulting company of contracting fees, but I don't see
the point of seeking legal advice here, under these circumstances.

------
pentesterlab
I have contacts in the security team of most banks in Australia. Happy to help

------
jamez1
Did you intend for your username to give away where you work? Unless of course
Odecee is not the firm here.

You should probably check your professional indemnity insurance is all sorted
out if you are a contractor.

------
dvtv75
One thing that I haven't noticed anyone here mentioning is:

Document everything you've done. Everything. It may help protect you.

But get a good lawyer.

------
ziffusion
What in the fucking fuck! How hard is it setup your own git server for the
consultants to use?!

------
cpncrunch
Contact the CEO of the consultancy. Assume he/she doesnt know and would like
to know. Do it in writing. Then write registered letters to all directors of
bank if no satisfactory answer and remove yourself from project, and send
threats of legal action if not paid in required time.

If you are upfront with the bank, it is unlikely they will take legal action
against you. In the event they do, you will be protected by your limited
liability company (assuming you are operating through one).

