The city of New Haven lost more than $6 million in multiple cyberattacks on its public school district earlier this summer and has so far managed to recoup about half of the money, officials announced Thursday.
The thefts, which occurred in June and involved hackers impersonating the city’s chief operating officer and private vendors in emails, came to light after a Connecticut school bus company raised questions about why it hadn’t yet been paid.
“The individual or the individuals that did this are criminal. They are unbelievably unethical to not only steal money from the public, but steal money from New Haven public school children,” said Mayor Justin Elicker, a Democrat, during a news conference.
Elicker said the FBI asked New Haven officials not to initially speak publicly about the hacking in order to protect its investigation. So far, $3.6 million has been recouped and the FBI has frozen additional funds, he said. Elicker could not provide a specific amount because the probe is continuing. No arrests have been made.
Elicker said the cyber thieves gained access to the COO’s public school email address in May, monitored online conversations with vendors and eventually inserted themselves into the conversations by impersonating the COO and the vendors. The thieves then made requests for electronic transfers to fraudulent accounts. A total of six payments were made, including four meant for the school bus company totaling more than $5.9 million.
The other two payments were meant for a law firm. Elicker said a seventh payment meant for a cleaning company was stopped by the city’s budget office. The FBI refers to the type of ruse used in the cyber attack as a “business email compromise.”
Elicker said the city has since stopped all electronic payments except for payroll and is working with several companies to strengthen its systems. One employee in the city’s law office has been placed on paid leave pending the results of the investigation.
“We do not believe any city employee was involved in the hacking itself,” he said. “However, we want to ensure that all employees followed proper financial and cyber security procedures.”