IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New Haven, Conn., Tightens Cyber Controls After $6M Loss

After hackers used the email account of the New Haven Public Schools chief operating officer to steal more than $6 million, officials there are working to recover the money and block future cyber attacks.

(TNS) — In the wake of a hacker gaining access to the email account of the New Haven Public Schools chief operating officer's email account, impersonated him in email conversations and stealing more than $6 million, city and school officials, in cooperation with law enforcement agencies and the city's banks, are working both to recover as much as the money as possible and ensure that nothing like it ever happens again.

So far, $3.6 million has been recovered and the FBI has been able to freeze an unspecified additional amount, Mayor Justin Elicker said.

An ongoing criminal investigation is underway, Elicker said Thursday. Meanwhile, New Haven has tightened its procedures and protocols to try to keep from seeing a repeat anytime in the future, he said.

To begin with, it has stopped all electronic transfers other than payroll transfers until further notice while it works to further strengthen its cybersecurity systems and protocols and tighten its financial policies and procedures, Elicker said.

Among other measures, the city put one employee in the city budget office on paid administrative leave, Elicker said.

"Just to be clear, we do not believe any city employee was involved in the hacking, itself," he said. "We want to be sure that all employees follow the proper financial and cybersecurity procedures."

Beyond that, "Someone needs to answer to the fact that they have stolen from the children of New Haven Public Schools," said Superintendent of Schools Madeline Negrón, who said she was "just outraged" by the crimes, which took place before she took over as superintendent in July.

Elicker said the city is seeking help from outside experts to strengthen its anti-fraud protocols, but lessons learned as a result of the incident include "don't click on anything" and "be suspicious of any email that you receive."

"We regularly do training and will continue to do so on ... phishing emails and how to be cautious on emails and links that could lead to trouble," Elicker said Friday. But he emphasized that "there's an ongoing investigation into how they gained access" and "we're not yet entirely clear how they gained access to the COO's email."

The thefts occurred in June after a hacker or hackers penetrated New Haven Public Schools COO Thomas Lamb's email account in late May, Elicker said.

Most of the funds — more than $5.9 million — were intended for First Student, the city's schools bus company, and the fraud came to light when First Student raised questions June 23 about when it was going to be paid, he said.

"The individual or individuals who did this are criminal," Elicker said. "They are unbelievably unethical to not only steal money from the public but to steal money from New Haven public school children.

"It is just shocking to me how much greed there is in the world today," Elicker said. "... We will do everything we can to possibly track down these people."

No arrests have been made.

According to Elicker, hackers appeared to have gained access to Lamb's email in late May, then subsequently made six successful attempts and one failed attempt to steal money through electronic transfers. The COO "has the authority to authorize electronic transfers that have already been approved in the budget," he said.

After gaining access, the hacker or hackers appeared to have watched email conversations between officials and vendors "and then inserted themselves in the conversations in an attempt to steal" funds, Elicker said.

The hacker or hackers impersonated the COO and several vendors to make requests for electronic transfers to fraudulent ACH electronic transfer accounts, Elicker said.

Four of the payments, totaling more than $5.9 million, were meant for First Student, officials said. Two other payments totaling more than $76,000 were meant for Shipman & Goodwin, a law firm that represents the New Haven Public Schools, Elicker said.

There was a seventh attempt in early July involving another vendor, S.J. Services, which does cleaning services for the schools. That attempt was denied by the city budget office, Elicker said.

After becoming aware of the hacking on June 23, the city immediately contacted the city police and the banks where the payments were made, then shortly after contacted the FBI and the U.S. attorney's office, Elicker said.

Police Chief Karl Jacobson said New Haven police Detective Matthew Collier already was embedded with the FBI on a white collar crime task force and worked with the FBI on this case.

"We're hoping to retrieve most of the money in the end," as well as make some arrests, Jacobson said.

©2023 the New Haven Register, Distributed by Tribune Content Agency, LLC.