City officials kept quiet the loss of more $700,000 to online scams in part because of a criminal investigation, but the theft of taxpayer dollars could have been made public sooner, officials said.
Instead, the 2017 crime came to light last week when a former employee filed a whistleblower lawsuit alleging he reported the theft and other cybersecurity issues to city officials, but was fired in retaliation. Former IT manager William Birchett’s lawsuit claims that hackers stole more than $516,000 from city accounts and placed it in offshore accounts, but the phishing scams actually took more.
The city’s IT director said Tuesday better security measures have made the city safer since it was the victim of two phishing scams, an online scam where criminals send emails that appear to be legitimate asking for sensitive information like bank accounts.
The first scam happened in October 2017, when the city’s accounts payable department received a request to change the account for Imperial Construction, a contractor working with the city. The email looked real, but it was actually a scam. City staff sent $693,625.77 to a fraudster.
City staff reported the incident to police in January 2018 when Imperial told the city the payment never came. Gbenga A. Fadipe, 48, was arrested in May 2018. He is charged in Tarrant County with theft of property greater than $300,000.
The city has recovered about $48,000, but the rest of the loss was covered by the city’s risk fund. The council quietly approved the expense in April 2018 with a consent agenda item that did not detail the scam.
The city was again the victim of fraud in May 2018 when the direct deposit information for six employees was changed to prepaid card accounts. About $16,000 was directed to those cards, not the employees’ bank accounts.
Councilman Brian Byrd said the council should consider when it’s appropriate to make similar issues public.
“I’d like to see us talk about a communication plan that would include the metrics or parameters under which we would make this public,” he said.
Council members were briefed more than once about IT issues involved in the lawsuit during executive session, including allegations that sensitive employee information was accessible to anyone online.
Assistant City Manager Susan Alanis said the criminal investigation made public discussion difficult, but once that was concluded officials likely could have made taxpayers aware of the scam.
“Again, lesson learned in hindsight,” she told council members.
Kevin Gunn, chief technology officer for the city, said several improvements have been made to safeguard the city from scams.
Though he didn’t go into great detail, Gunn said the city has improved its malware detection, upgraded software and required more verification of changes to bank accounts and other personal information. In the case of employee deposit information, changes now must be verified on the phone or in person with the finance department.
“We have a broad and encompassing data protection program,” Gunn said.
A third-party employee benefits vendor was also the subject of allegations of poor information management, according to the lawsuit. Sensitive employee information may have been accessible to anyone on a site not operated by the city, but Gunn said the website didn’t appear to show employee Social Security numbers.
Human error caused employees to be duped by the phishing scams, and improved training may prevent that, Alanis said.
“I think it’s a constant learning process as some of these intrusions become more sophisticated,” she said.
Though the lawsuit combines issues related to the phishing scams with a Texas Department of Public Safety audit and the city’s compliance with an FBI crime fighting database, they are unrelated.
The lawsuit claims employees with disqualifying criminal histories were allowed access to the system. Gunn said background found that some longtime employees recently had disqualifying criminal records and their access was revoked. The city found only one incident when an employee with a disqualifying background accessed the system, which was reported to DPS, he said.
The city has remained in compliance with the Criminal Justice Information Services, or CJIS, Gunn said.