Michael Cheek reports:
Hackers have defrauded the New York City’s Department of Education of more than $644,000 by targeting an online bank account used to manage petty cash expenditures, according to investigators.
The Department of Education’s bank account with JPMorgan Chase was supposed to have a $500 limit but, due to an oversight, any amount of funds could be transferred. The cyber criminals were able to carry out the crime for 3 years because the DOE failed to reconcile its accounts on a regular basis.
“It is difficult to understand how the DOE accumulated years of account statements, reflecting hundreds of thousands of public dollars spent to pay bills, but did not review them,” the report, which was written by Special Commissioner of Investigation for the New York City School District, stated. “A cursory examination would have shown that the charges were not normal school expenses.”
Albert Attoh, who spearheaded the theft, was sentenced in April to 364 days in federal prison and ordered to pay more than $275,000 in restitution after pleading guilty to bank larceny. Attoh provided the routing and account information to others in exchange for cash.
Read the report here
The report explains the “oversight” mentioned above as to why there was no limit on transfers:
In interviews with DOE officials, SCI investigators learned that the DOE account used to perpetrate the fraud was one of two SIPP accounts at Chase which covered the entire DOE school system and it was limited to purchases of less than $500. However, there was no limit to the amount of money that could be used to pay bills by an EFT, because the DOE had not blocked the use of EFT from any DOE bank accounts, some of which had been established before EFT existed.
DOE officials explained that the fraudulent transfers dated back to October 2003, began with relatively small amounts, increased significantly starting in November 2004, and continued until the discovery of the fraud in February 2007. At that time, DOE officials blocked the use of EFT on the two accounts. DOE officials said that the SIPP accounts were not reconciled on a monthly basis, but when they were, the DOE employees who conducted the reconciliation believed the charges were legitimate. The SIPP accounts were subsequently moved from Chase to the NYC DOF.
In interviews with Chase officials, SCI investigators learned that, although there was a $500 limit for purchases from the account, there was no amount limit for an EFT and, because the DOE had not blocked the use of EFT, any amount could be electronically debited from the account. Chase officials acknowledged that, at the time the account was opened in 1990, EFT was not in existence. A Chase official said that the
bank would be able to go back 60 days and recover approximately $130,000 debited from the DOE account.
The report also notes:
This is not the first time that SCI has found serious lapses in fiscal oversight within the DOE. Just last year, SCI reported substantiated findings about a clerk assigned to the unit then known as the Division of Assessment and Accountability who was able to steal more than $60,000 because no one looked at statements which reflected that he made thousands of dollars worth of personal purchases, including flying his family around the world. Last month, SCI issued another report which pointed out the lack of
financial oversight in a number of DOE schools.
NYC DOE security grade: FAIL.
Anyone care to hazard a guess how often the employee and student databases may have been breached without the NYC DOE ever discovering it?