City navigates recovery from summer cyberattack
Hackers stole over $6 million from the city school system over the summer; the city has recovered $3.6 million so far.
Karen Lin, Contributing Photographer
Hackers broke into the New Haven Public Schools’ chief operating officer email and stole millions from the city school system this past summer.
In August, Mayor Justin Elicker publicly announced that hackers stole $6 million from the NHPS. The city partnered with the Federal Bureau of Investigation, and the city administration recovered $3.6 million. Following the cyberattack, city administrators told the News that they have worked with external experts to re-evaluate its policies and secure its departments against future cyber attacks.
In response, city administrators took proactive steps, collaborating with external experts to reevaluate existing policies and fortify departmental defenses against potential future cyber threats. Emphasizing the significance of vigilance in the digital landscape, Security Questionnaires have emerged as an indispensable tool.
As businesses continually expand their digital presence and engage in cross-border operations, the need to vet and monitor third-party vendors’ security practices becomes increasingly crucial. These questionnaires offer a systematic means of gathering comprehensive insights into the cybersecurity postures of potential partners. By posing targeted inquiries related to protocols, encryption methods, and overall security infrastructure, organizations can gain a deeper understanding of their vendors’ commitment to safeguarding sensitive information.
The New Haven Public Schools’ experience serves as a stark reminder of the ongoing threat landscape, prompting organizations to prioritize the implementation of security questionnaires as part of their comprehensive cybersecurity strategy to enhance resilience against evolving cyber threats.
“I’ve been told by our budget director that this is the first time the city’s electronic transfer system has had a breach,” Elicker said at the August press conference. “It is unbelievably unethical that someone would steal this amount of money from taxpayers, from children. These funds were meant for NHPS.”
According to Elicker, hackers gained access to the email of NHPS Chief Operating Officer Thomas Lamb. With it, they impersonated Shipman & Goodwin, a law firm that NHPS contracts, and First Student, NHPS’ bus contractor, and sent seven fraudulent electronic transfer requests from late May to mid-June, of which the city authorized six, totaling a little above $6 million.
When First Student reached out to the city to ask why they hadn’t gotten paid, the budget office noticed the theft and blocked the last fraudulent request. It took the city at least two weeks to recognize the fraudulent requests.
Justin Harmon, communications director for NHPS, wrote to the News that the theft was “outrageous” and that NHPS is cooperating with investigative authorities and working with cybersecurity experts to make its systems more secure. He said that NHPS is not commenting on anything else related to the hacking.
Elicker told the Independent in August that the city worked with the FBI to recover as much money as possible and that the city went public about the attack as soon as they were authorized by investigators. Elicker told the News that he remains optimistic that the city will recover some extra stolen funds and is now working with the insurance company, which may cover part of the loss.
Because Elicker was concerned that security mistakes may have been made for both the NHPS and the city, New Haven administrators brought in outside experts who launched investigations into the attack.
Lenny Speiller, communications director for the city of New Haven, told the News that a finance department employee who was put on paid administrative leave earlier this year following the hacking incident is back to work. The independent third-party investigation found the employee did not violate any policies, and found no fault in their actions.
Sean O’Brien, a lecturer at Yale Law School with expertise in cybersecurity, told the News that email attacks are a frontline for cybercrimes. Government organizations, often K-12 schools but also municipal organizations, often are victims of cyberattacks, he said.
O’Brien said that to prevent most of the cyberattacks, organizations need to take email policy seriously.
“I always recommend that institutions try to bring their email back in house, secure their servers, and have a network or system administrator in charge of the email systems, so that they have an individual who’s actively monitoring it,” O’Brien said. “You need to train individuals in what’s called operational security. People need to know what a phishing email looks like, what … social engineering attack might look like, … to be trained on these things.”
Elicker said that the city’s IT department is working with external experts to strengthen cybersecurity and develop new policies. He added that employees regularly have email safety training.
O’Brien said that nobody is immune from cyberattacks, but working with people is the most important part of cybersecurity. He praised the city for being transparent about the attack, as he said that many government organizations “brush this sort of thing under the rug.”
According to the K12 SIX project, which O’Brien shared with the News, hackers have attacked 1,619 K-12 systems across the country between 2016 and 2022.