DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Crooks Steal $644,000 from NYC Department of Education

Posted on June 8, 2010 by Dissent

Michael Cheek reports:

Hackers have defrauded the New York City’s Department of Education of more than $644,000 by targeting an online bank account used to manage petty cash expenditures, according to investigators.

The Department of Education’s bank account with JPMorgan Chase was supposed to have a $500 limit but, due to an oversight, any amount of funds could be transferred. The cyber criminals were able to carry out the crime for 3 years because the DOE failed to reconcile its accounts on a regular basis.

“It is difficult to understand how the DOE accumulated years of account statements, reflecting hundreds of thousands of public dollars spent to pay bills, but did not review them,” the report, which was written by Special Commissioner of Investigation for the New York City School District, stated. “A cursory examination would have shown that the charges were not normal school expenses.”

Albert Attoh, who spearheaded the theft, was sentenced in April to 364 days in federal prison and ordered to pay more than $275,000 in restitution after pleading guilty to bank larceny. Attoh provided the routing and account information to others in exchange for cash.

Read the report here

The report explains the “oversight” mentioned above as to why there was no limit on transfers:

In interviews with DOE officials, SCI investigators learned that the DOE account used to perpetrate the fraud was one of two SIPP accounts at Chase which covered the entire DOE school system and it was limited to purchases of less than $500. However, there was no limit to the amount of money that could be used to pay bills by an EFT, because the DOE had not blocked the use of EFT from any DOE bank accounts, some of which had been established before EFT existed.

DOE officials explained that the fraudulent transfers dated back to October 2003, began with relatively small amounts, increased significantly starting in November 2004, and continued until the discovery of the fraud in February 2007. At that time, DOE officials blocked the use of EFT on the two accounts. DOE officials said that the SIPP accounts were not reconciled on a monthly basis, but when they were, the DOE employees who conducted the reconciliation believed the charges were legitimate. The SIPP accounts were subsequently moved from Chase to the NYC DOF.

In interviews with Chase officials, SCI investigators learned that, although there was a $500 limit for purchases from the account, there was no amount limit for an EFT and, because the DOE had not blocked the use of EFT, any amount could be electronically debited from the account. Chase officials acknowledged that, at the time the account was opened in 1990, EFT was not in existence. A Chase official said that the
bank would be able to go back 60 days and recover approximately $130,000 debited from the DOE account.

The report also notes:

This is not the first time that SCI has found serious lapses in fiscal oversight within the DOE. Just last year, SCI reported substantiated findings about a clerk assigned to the unit then known as the Division of Assessment and Accountability who was able to steal more than $60,000 because no one looked at statements which reflected that he made thousands of dollars worth of personal purchases, including flying his family around the world. Last month, SCI issued another report which pointed out the lack of
financial oversight in a number of DOE schools.

NYC DOE security grade: FAIL.

Anyone care to hazard a guess how often the employee and student databases may have been breached without the NYC DOE ever discovering it?

Related posts:

  • Kept in the Dark — Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden
Category: Breach IncidentsEducation SectorHackOf NoteU.S.

Post navigation

← Penn State warns of more cyber-breaches
CO: Credit card fraud rising Havasu residents reporting more cases each year →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.