Hackers impersonating the city school district’s chief operating officer succeeded in stealing over $6 million in city funds that were largely meant to pay for New Haven school buses.
With the help of the FBI, the Elicker administration has clawed back more than half of that public money — as the city continues to investigate what exactly went wrong, and how to make sure such a cyberattack doesn’t happen again.
On Thursday afternoon, Mayor Justin Elicker and top city police officials went public about the early-summer cyberattacks and about how the city has now recovered around $3.6 million of that stolen money.
Elicker told the Independent in a phone interview Thursday morning that the Federal Bureau of Investigation had asked city officials to hold off on speaking publicly about the late-May electronic thefts to give law enforcement investigators time to try to get back as much of the stolen money as possible and track down who committed these cyber crimes. “We feel we can share information publicly without significantly jeopardizing” the investigation at this time, the mayor said on Thursday.
Here’s what happened, according to Elicker:
In late May through mid-June, over the course of six different cyberattacks, hackers stole “just over $6 million” in city money.
The hackers appear to have gained access to the email account of New Haven Public Schools Chief Operating Officer Thomas Lamb, Elicker said. “They made six successful attempts and then one failed attempt to steal money through electronic transfers.”
The school district’s COO has the authority to authorize electronic transfers that have already been approved in the annual budget, the mayor said.
He said that two of the stolen payments adding up to $76,000 were meant to Shipman & Goodwin, a law firm that NHPS contracts.
He said that four of the stolen payments adding up to over $5.9 million were meant for First Student, the city school district’s school bus contractor.
Elicker said that the city’s finance department processed the electronic transfer requests it had received from impersonators of Lamb, Shipman & Goodwin, and First Student. The city’s budget office first learned that a theft had taken place on June 23. That’s when First Student reached out to ask why they hadn’t gotten paid.
The city’s budget office “quickly identified the problem, stopped making electronic transfers, contacted the NHPD, then contacted the FBI.” A seventh and unsuccessful attempted cyberattack occurred in early July involving an impersonation of Lamb and the contractor SJ Services, Elicker said. “That transfer was denied by the city’s budget office. At this point, the budget office was aware of the breach and had stopped electronic transfers.”
Elicker said that the city has placed one of its finance department employees on paid administrative leave, not because this employee is a suspect in the theft in any way, but instead so his administration can review if the then-existing payment policies and procedures were followed appropriately. Elicker declined to share the name of the employee on leave; he confirmed that that employee is not the head of the budget office, Mike Gormany.
The city is also “engaging two outside companies to assist the city and NHPS with both cybersecurity and, on the city side, our financial policies and procedures,” the mayor continued. The city has some “cybersecurity insurance,” and has used those funds to hire a firm called Surefire “to review the breach and understand exactly how it occurred.” That insurance could also go towards reimbursing the city for whatever money the administration fails to recover from the hackers, though Elicker said it would not cover the current outstanding $2.4 million. And he said that the city has “stopped all electronic transfers except for employee payroll until further notice.”
Elicker said the city is also reviewing both their financial and cybersecurity protocol and safeguards to strengthen their defense against future attacks — though he said he could not share specific alterations made to policies since that might assist hackers in circumventing the city’s security systems down the line.
Elicker declined to comment on whether law enforcement has identified any specific individual suspects or whether anyone has been arrested yet, citing the ongoing investigation and attempts to recover the more than $2 million in remaining stolen funds.
He did say that the cyberattacks appear to have occurred through what’s called a “business email compromise.”
In such a scheme, “hackers gain access to someone’s user account. They monitor conversations and then insert themselves into the conversation in an attempt to steal money.” In these six successful cyberattacks from May and June, “hackers appear to have been monitoring ongoing email exchanges between the chief operating officer of NHPS and vendors in the city’s budget office, and in each instance they inserted themselves into the conversation and, using the COO’s email, impersonated him.”
He said that the hackers likely targeted the NHPS COO because that official has the authority to sign off on budget-approved payments and send them to City Hall’s finance department for final approval.
“I’ve been told by our budget director that this is the first time the city’s electronic transfer system has had a breach,” Elicker said. “It is unbelievably unethical that someone would steal this amount of money from taxpayers, from children. These funds were meant for NHPS.”
Elicker and Police Chief Karl Jacobson were scheduled to hold a press conference about the cyberattacks at 1:15 p.m. Thursday.
“We’re hoping to retrieve most of the money and in the end end up with arrests,” Chief Karl Jacobson stated during that presser. He noted that the FBI has frozen some of the remaining stolen $2.4 million, but he could not specify how much.
In the meantime, Elicker said the city has enough cash flow to cover any potential education costs that could have been jeopardized by the hacking.
In an email comment sent to the Independent, Democratic mayoral challenger Shafiq Abdussabur — a retired police sergeant looking to unseat Elicker in this September’s Democratic primary — criticized the Elicker administration and its budget office for letting these cyberattacks take place. He lamented that the “residents of New Haven may never be made whole for this unacceptable loss.”
Abdussabur focused his critique in his comment on the administration not filling the long-empty city controller position, and having the budget director instead fill that role. “This appalling oversight is just one more piece of evidence about the costs we have all paid for the Elicker Experiment,” Abdussabur said. “One person doing three important City jobs is simply reckless and bound to result in mistakes the residents of New Haven are on the hook for.”
Nora Grace-Flood contributed to this report.