The money was part of $3 million the county loaned to the housing agency in March for the work at Golden Gate Village.
"We are actively working to identify funding sources to replace what was lost," said Kimberly Carroll, director of the Marin Housing Authority.
Carroll vowed that the theft would not prevent the Marin City project from proceeding.
"We won't stop the forward process of our renovation," Carroll said. "We can't. That has to continue."
She also provided assurances that the breach would have no effect on the people living in apartments the authority oversees.
"We want to assure our clients and stakeholders that no services will be impacted," Carroll said, "and there will be no reduction in the funding or resources dedicated to our programs."
Jason Balderama, a county technology official, has started working as consultant for the housing authority to coordinate the investigation and advise on how to strengthen its internet defenses.
Balderama has enlisted the assistance of the California Cybersecurity Integration Center and the federal Cybersecurity and Infrastructure Security Agency, as well as submitting a report to the FBI.
"It's an ongoing investigation," Balderama said. "They're still trying to determine if they can pinpoint the exact root cause."
Carroll said investigators suspect the criminals used a "phishing" attack to gain access to several email accounts belonging to the agency's employees, including hers. Phishing is an online scam in which attackers use emails, text messages or phone calls to trick people into revealing sensitive information such as their usernames and passwords.
"It's unfortunately a very common occurrence," Balderama said.
He said some of the housing agency's email accounts were particularly vulnerable because they lacked "two-factor authentication," a security procedure that combines two forms of identification to guard against unauthorized access. In addition to the typical username and password, it adds a second factor, sometimes a code sent via text message.
Carroll said the scammers managed to gain access to six email accounts belonging to housing authority employees. Then, using the emails to pose as employees, they hijacked two large payments meant for Burbank Housing, the agency's development partner for the Marin City project.
Burbank is overseeing pre-development work for the project, determining what repairs need to be made to the 300 residences at Golden Gate Village. The housing authority has a $1.4 million contract with Burbank for the work.
"The bad actors probably accessed our email accounts in July," Carroll said. "But we didn't find out until September."
Carroll said the $950,000 in payments to Burbank were dispatched in two large tranches. The first one went out in late August.
"We sent it out to them," she said. "We followed all of our protocols. We never heard from Burbank that they didn't get the money until about three weeks later."
Carroll said Burbank notified the housing authority it hadn't received the August payment on Sept. 16, about two or three days after the agency had dispatched the second tranche.
"That was gone in a flash," she said.
Burbank Housing could not be reached for comment.
Balderama said the odds are long that authorities will identify the thieves or recover the funds. He said the perpetrators might be based in the United States, or they could be located in any number of countries, including India, China and Russia.
"It's so easy to get private VPN service that the threat actors can make it look like they're coming from basically anywhere," Balderama said, referring to virtual private networks.
A VPN shields its users from identification by encrypting their data and masking their internet protocol addresses.
Carroll said the housing authority still has about $1.6 million left with which to move forward with the rehabilitation of Golden Gate Village.
"We may have a conversation with the county to see if we would be able to borrow additional funds to help get us through if we need that," Carrol said.
Marin County Executive Derek Johnson, however, said there has been no discussion of the county shouldering any of the $950,000 loss.
"Marin Housing Authority is assuming full responsibility and has committed to looking for alternative sources to recover the $950,000," Johnson wrote in an email. "We anticipate MHA will be able to repay the $3 million loan as planned."
Earlier this month, following Johnson's recommendation, the Board of Supervisors approved spending $500,000 for an organizational and operational assessment of the Marin Housing Authority, the Marin County Community Development Agency and the Marin County Department of Public Works.
At the time, Johnson said he envisioned the county providing the housing authority assistance with finance, personnel and information technology.
Both Johnson and Carroll said Monday that the plan for the assessment was formulated before the discovery of the $950,000 theft.
"This breach underscores the need for the agency to undergo an organizational assessment to make sure it's utilizing resources in the most efficient way, and also has the organizational structure, security, systems, and procedures in place to deliver high quality service and achieve its mission," Johnson wrote.
The crime was the largest theft of Marin public funds since Eric Faulks, a former county official, embezzled $1.9 million from the rental assistance program. Faulks pleaded guilty to four counts of grand theft and began serving a six-year prison sentence in November 2022.
Since 2020, two Marin County Civil Grand Jury reports have examined the level of internet security preparedness in the county.
The first came after the county experienced at least five hacks from July 2017 through August 2018. The fifth attack concluded with the hacker conning the county's finance office into wiring $309,000 to the hacker's bank accounts. The county managed to recover approximately $63,000.
After the 2020 report, Marin County created what is now known as the Marin Security and Privacy Council (MSPC). Originally formed to provide internet security information and best practices to Marin's municipalities, the council has been expanded to include nonprofits and other private organizations. The Marin Housing Authority became a MSPC member prior to the recent attack.
"It is up to each MSPC member organization to use the information, best practices and recommendations as they see fit," Balderama said. "Now that I am acting as a cybersecurity consultant for MHA, I am working with them to ensure that the resources and best practices shared through the MSPC are being actively implemented."
The second grand jury report was released earlier this year. Its recommendations include having the county hire three new employees to bolster internet security. The grand jury said two should be "system-engineering" positions responsible for conducting security risk assessments and implementing security solutions for public agencies.
© 2024 The Marin Independent Journal (Novato, Calif.). Distributed by Tribune Content Agency, LLC.
