Chester Upland School District in Pennsylvania faced an attempted theft of $13 million through a complex scheme that involved hacked email accounts, cryptocurrency, and a romance scam of a recently widowed Florida woman.
However, local government agencies intercepted and recovered $10.3 million of the $13 million stolen from the district, according to an announcement released by the Delaware County District Attorney’s Office in Pennsylvania last week.
At first, CUSD’s email systems were infiltrated by a hacker. The hacker then used a compromised email account to change the bank account for district funds received by the Pennsylvania Department of Education. From there, future payments from the state department of education intended for the school district could be sent to a bank account accessible to the hacker.
The widowed Florida resident was unknowingly used as a money mule to move the illegally acquired money to individuals overseas through bank transfers and the purchase of cryptocurrency. She did so at the direction of a fictitious love interest, who she met through an online dating platform.
While the district is grateful most of the stolen money has been recovered, the missing $3 million is still a significant loss, said Nafis Nichols, receiver for CUSD, in a statement.
“Our district faces significant economic challenges, and we are doing our best to allocate as much money as possible to our classrooms and to providing adequate and appropriate staffing. An additional $3 million can make a significant difference for our students,” Nichols said.
This money laundering scheme shows how increasingly complex cyberattacks against school districts are becoming, said Amy McLaughlin, a subject matter expert at the Consortium for School Networking.
McLaughlin has noticed that districts using publicly visible and available building bonds can also be easily targeted in similar schemes to the one seen in CUSD.
“This is the challenge of balancing — we have a public, transparent process around government, and so we have to be additionally cautious about other elements of security that may seem small or contained that can become quickly problematic,” McLaughlin said.
This hacking scheme should also be a cautionary tale for other districts and states to be more aware when transferring funds, she said. There should also be audits in place if an account routing number has changed.
“If you have a changed banking account alert, and as an organization, you know your bank has not changed, that should be a high-priority alarm going off saying ‘Hello, you need to check this right away,’” McLaughlin said.