In a statement, board member Darnell Goldson questioned whether the school district used adequate security measures, such as two-factor authentication for employees authorizing and receiving money transfers. He said he also wondered what checks and balances were in place to protect public funds.
Meanwhile, the city has paused all electronic transfers except payroll transfers while it waits for outside experts to review its anti-fraud protocols, according to Mayor Justin Elicker.
"It's important to underscore that the city is the victim of a crime and that there are many cities, hospitals, other large entities, that have experienced similar thefts and cyber attacks," Elicker said Monday when asked about Goldson's comments. "It's important for us to work together to ensure that we strengthen our systems, and not to point fingers and blame each other."
Justin Harmon, a spokesperson for the New Haven Public Schools, said the district would not disclose particulars about how it facilitates financial transfers because doing so could compromise an ongoing FBI investigation into the theft.
"The city and the school district have committed to a thorough review of our financial and IT systems by an independent expert," he said in a statement. "We will be able to say more about deficits and new precautions afterward."
The theft of over $6 million was linked to a hack that the city believes occurred in late May, when perpetrators appear to have gained direct access to the email account of the schools' chief operating officer, Thomas Lamb, and used it to authorize multiple transfers to fraudulent accounts, Elicker has said.
The thefts took place in June, Elicker said. Over $6 million was taken from school district funds, most of it meant for the district's bus company, First Student, according to the city.
The hackers also are believed to have impersonated First Student representatives, Elicker said, though the company does not appear to have had a security breach of its own.
The FBI has so far recovered about $3.6 million worth of stolen funds, according to the city.
Hearst Connecticut Media Group sent inquiries about the safeguards the district has in place to Lamb, Board of Education President Yesenia Rivera and Superintendent of Schools Madeline Negrón, who started in the job after the thefts occurred. The inquiries, which included questions about the verifications required when transferring money, also sought responses to Goldson's comments.
Harmon, the district spokesperson, responded to the inquiry sent to Negrón.
"We really can't get into a lot of the particular of how the financial systems and, you know, the IT aspects of these processes work, both because the investigators have told us that if we did so we could compromise their ongoing investigation and because we don't want to disclose what could be vulnerabilities to other potential hackers," he said. "I'm not going to comment on Mr. Goldson's speculations."
Asked about New Haven's security measures, Elicker said city employees use multifactor authentication to access their email accounts. The school district uses multifactor authentication as well, according to Harmon, who said employees must change their passwords every few months.
Goldson said he suspects "carelessness" in the school district's processes as well as an inadequate "checks and balances and control system" made it easier for the thefts to occur, expressing frustration with what he described as a lack of information provided to school board members about the cyber attack.
"If I want to wire money to my daughter from my account, I have to go through two steps, three steps actually" to verify the account information, he said. "None of that seems to have occurred in this process. ... If it did occur, we probably wouldn't have been ripped off the $6 million."
Goldson also questioned whether the district requires a second party to sign off on large transactions.
"I'm hoping that we don't have one person who could send an email to the city saying, 'Wire $6 million to this account,'" he said. "But again, I haven't been briefed, so I don't know."
Goldson said he only learned of the thefts shortly before city officials held a press conference Thursday to discuss the matter. He said he believes officials, who say they became aware of an issue in late June, should have told the Board of Education about the issue sooner.
If law enforcement was concerned about compromising the investigation through public disclosure, Goldson said, the school board could have been briefed in executive session.
Elicker says the FBI asked officials not to discuss the thefts publicly or with private groups.
"The FBI asked the city not to share information because there's an ongoing investigation," he said. "It was important for the FBI to freeze as much money as possible ... while we always want to share information as quickly as possible, that would have jeopardized our ability to recover the funds and to collect information quickly to identify the perpetrators."
As of Monday, no arrests had been announced in connection with the thefts.
During Monday evening's scheduled Board of Education meeting, Goldson said he planned to make a motion for the board to be briefed by law enforcement.
©2023 the New Haven Register (New Haven, Conn.). Distributed by Tribune Content Agency, LLC.
