The FBI is now investigating a cyberattack and identity theft that resulted in more than $1.5 million in fraud, the Baltimore City Comptroller's Office told 11 News Investigates.Officials told 11 News Investigates that the investigation stems from someone using the names of city employees with whom they gained trust, coupled with a vendor and information readily available online to steal money from the city.Who did this? And how?Baltimore City Deputy Comptroller Erika McClammy told 11 News Investigates that the city was alerted on March 13 to a cyberattack on its accounts payable department by a perpetrator who used identity theft to fraudulently gain access to more than $1.5 million in payments intended for a city vendor."We don't know yet who actually the bad actor was. Obviously, they probably have several names," McClammy told 11 News Investigates.That perpetrator adopted the name of a current vendor employee to infiltrate the city system, using information that's available online."They established contact with the city, actually, last fall, around November, October, and so, for several months, they had been incubating and nurturing a relationship with various city departments," McClammy told 11 News Investigates.McClammy told 11 News Investigates that the perpetrator nurtured a relationship with city employees."With employees, several employees," McClammy told 11 News Investigates.After building trust for months, the perpetrator changed the banking information, cashing one check in February for $803,000 and trying to cash a second check in March for $721,000. The bank flagged the transaction."The first check, unfortunately, had already been cashed. It was a second check that was caught and then returned to the city," McClammy told 11 News Investigates. "We went into immediate action. We froze the account that we have set up for that vendor so that nothing else could occur."Current protocols followed, may need to be enhancedWhen 11 News investigates asked whether the perpetrator's identity will be made public, McClammy said: "Sure, we're in the process of investigation, so the FBI has received information."McClammy told 11 News Investigates that the vendor that should have received the stolen $1.5 million works with the Baltimore City Department of Public Works. The vendor will receive its payment this week.While city employees followed current protocols, McClammy acknowledged that the fraud shows the city needs to enhance current protocols."What we do know, for instance, is that they were able to bypass Baltimore City's geofencing. They used an IP address set up through Starlink," McClammy told 11 News Investigates.Are other city systems still vulnerable?As the FBI investigates, McClammy said the breadth of the attack remains unclear."We may have not been the only agency or city that was targeted. So, we don't know. That'll be part of the investigation at the feds do," McClammy told 11 News Investigates.11 News Investigates asked McClammy whether any evidence suggests the city's accounts, or its HR and payroll system, Workday, are still vulnerable if targeted via Starlink."I can't say that," McClammy told 11 News Investigates. "I can say that, again, we are looking at ways that we can enhance the system, and I think that's going to be continuous."McClammy told 11 News Investigates that the fraud has also been referred to the Baltimore City Office of the Inspector General to conduct its own investigation.
BALTIMORE —
The FBI is now investigating a cyberattack and identity theft that resulted in more than $1.5 million in fraud, the Baltimore City Comptroller's Office told 11 News Investigates.
Officials told 11 News Investigates that the investigation stems from someone using the names of city employees with whom they gained trust, coupled with a vendor and information readily available online to steal money from the city.
Advertisement
Who did this? And how?
Baltimore City Deputy Comptroller Erika McClammy told 11 News Investigates that the city was alerted on March 13 to a cyberattack on its accounts payable department by a perpetrator who used identity theft to fraudulently gain access to more than $1.5 million in payments intended for a city vendor.
"We don't know yet who actually the bad actor was. Obviously, they probably have several names," McClammy told 11 News Investigates.
That perpetrator adopted the name of a current vendor employee to infiltrate the city system, using information that's available online.
"They established contact with the city, actually, last fall, around November, October, and so, for several months, they had been incubating and nurturing a relationship with various city departments," McClammy told 11 News Investigates.
McClammy told 11 News Investigates that the perpetrator nurtured a relationship with city employees.
"With employees, several employees," McClammy told 11 News Investigates.
"They were able to bypass Baltimore City's geofencing. They used (Starlink) IP addresses."
After building trust for months, the perpetrator changed the banking information, cashing one check in February for $803,000 and trying to cash a second check in March for $721,000. The bank flagged the transaction.
"The first check, unfortunately, had already been cashed. It was a second check that was caught and then returned to the city," McClammy told 11 News Investigates. "We went into immediate action. We froze the account that we have set up for that vendor so that nothing else could occur."
Current protocols followed, may need to be enhanced
When 11 News investigates asked whether the perpetrator's identity will be made public, McClammy said: "Sure, we're in the process of investigation, so the FBI has received information."
McClammy told 11 News Investigates that the vendor that should have received the stolen $1.5 million works with the Baltimore City Department of Public Works. The vendor will receive its payment this week.
While city employees followed current protocols, McClammy acknowledged that the fraud shows the city needs to enhance current protocols.
"What we do know, for instance, is that they were able to bypass Baltimore City's geofencing. They used an IP address set up through Starlink," McClammy told 11 News Investigates.
Are other city systems still vulnerable?
As the FBI investigates, McClammy said the breadth of the attack remains unclear.
"We may have not been the only agency or city that was targeted. So, we don't know. That'll be part of the investigation at the feds do," McClammy told 11 News Investigates.
"We are looking at ways that we can enhance the system."
11 News Investigates asked McClammy whether any evidence suggests the city's accounts, or its HR and payroll system, Workday, are still vulnerable if targeted via Starlink.
"I can't say that," McClammy told 11 News Investigates. "I can say that, again, we are looking at ways that we can enhance the system, and I think that's going to be continuous."
McClammy told 11 News Investigates that the fraud has also been referred to the Baltimore City Office of the Inspector General to conduct its own investigation.
Get WBAL-TV 11 News on the go
