This spring, cybercriminals made off with $1.4 million in taxpayer money — the single biggest theft of funds in the city of Portland’s history.
According to an email exchange obtained by OPB, the loss could have been easily avoided. The records show the city’s treasury flagged the $1.4 million wire transfer as potentially fraudulent before the money left Portland’s coffers.
But housing bureau officials paid it anyway. At this point, cybersecurity experts say, there’s little chance the city claws it back.
The million-dollar-payment was intended for Central City Concern, a local nonprofit building a 100-unit affordable housing project called The Starlight in the heart of the Old Town neighborhood. The city’s housing bureau signed a $17 million contract with the nonprofit last March to construct the building and had been routinely wiring the group money to cover construction costs.
Before the wire transfer went out on April 25, treasury officials reached out to the housing bureau asking staff to confirm Central City Concern’s banking information was accurate, according to an email sent by city treasurer Brigid O’Callaghan. O’Callaghan was concerned the name on the bank account for Central City Concern did not match the name of the account receiving the wire transfer.
“This is often a red flag that the payment instructions are fraudulent,” O’Callaghan wrote in an email obtained through a records request. “That was why we needed to be absolutely certain that PHB’s finance Team had spoken to someone known to them at the beneficiary organization to confirm the account information.”
According to the email, two officials who deal with the housing bureau’s finances confirmed to O’Callaghan that the banking information was correct. She told the officials she had released the transfer and asked them to check later that day that Central City Concern got the money.
No one who actually worked for the nonprofit would ever confirm the transfer. In a written response to OPB’s questions, city spokesperson Carrie Belding stated housing bureau staff thought they had followed up on the treasurer’s concerns but were unwittingly “communicating with the perpetrator of the crime.”
“At the time, City staff believed that they had obtained a confirmation,” she wrote. “Unbeknownst to the employees involved, confirmation was provided by the imposter rather than the business partner.”
Emails show a housing bureau official was in contact that day with someone purporting to be Central City Concern’s treasury manager who had the nonprofit’s logo at the bottom of his email. The person’s email is redacted in the documents the city provided.
One month after the first fraudulent transfer, hackers would make a second, unsuccessful attempt to steal money. Only then would city officials realize the payment originally flagged as suspicious was indeed fraudulent.
At that point, the $1.4 million had already moved from the city’s bank to an account on the East Coast, where it disappeared. The cybercriminals, meanwhile, had unfettered access to the city’s internal systems for an entire month, per emails.
“There’s a treasure trove of stuff within many organizations,” said University of Maryland, Baltimore County professor Don Norris, who published a book this year on cybersecurity in local government. “Criminals get in, they look around, and they try to steal whatever they can.”
City officials said no money was stolen aside from the $1.4 million, and they have no indication that anything was accessed other than one city employee’s email account.
When a local government gets breached, typically, the last thing they want to do is talk about it. Most publicly cite an ongoing investigation and, privately, a fair share of embarrassment.
Portland has proved no exception over the last few months. City officials have remained guarded and did not make themselves available for an interview. In a written response to OPB’s questions, spokesperson Belding stated the breach was a type of “business email compromise,” a form of breach where criminals send an email that seems to come from a legitimate vendor and provides new wiring instructions.
These types of hacks are everywhere. In 2019, Portland Public Schools transferred $2.9 million to a fraudulent account mistakenly believing it belonged to one of their construction contractors. That same year, Naples, Florida, lost $700,000 to someone pretending to be from a local construction company just after the Collier Mosquito Control district had lost $100,000 to a phony insurance carrier.
In Portland’s case, the breach was complicated by the fact that the hacker had total control over the emails of a housing bureau employee.
A few days before the April 25 transfer, the employee, whose job includes requesting wire transfers for new developments, likely fell for a phishing attack and provided their password to a bad actor, according to a recap of the incident sent by the then-housing bureau director Shannon Callahan to the city’s new chief administrative officer. Callahan resigned as bureau director a few months after the breach, saying she felt it was time to move on.
With access to the email account, the hacker was able to convincingly impersonate an official with Central City Concern, which was about to put in a draw request for $1.4 million from their contract with the city to cover more construction costs.
The hacker would hold on to access to the account for the next month. The city technology staff later realized the account had been severely breached with logins occurring from locations across the globe including Texas, Germany and Nigeria (officials say the hackers were using a virtual private network to mask their location). Callahan later said she believed the cybercriminals were able to enter through “KNOWN weaknesses in our system.”
“It’s a serious situation of multiple bad actors actually controlling internal emails for our staff authorizing wire transfers and also improper contact information for construction draws,” Callahan told Commissioner Dan Ryan, who oversees the housing bureau, in a voicemail left immediately after the breach, which OPB obtained through a records request.
Three housing bureau employees who played a role in the wire transfer were put on administrative leave immediately after the incident, according to other emails obtained by OPB. After an investigation, Portland Police Bureau Deputy Chief Mike Frome told city officials in an email on June 2 that their investigators had “found no criminal behavior.” All the employees have returned to work.
The city has since paid Central City Concern the $1.4 million they were owed. Portland officials expect to recoup roughly $500,000 through its cybersecurity insurance, according to Belding.
But the cost of the breach could easily snowball beyond one million. Most local governments see their insurance premiums skyrocket after a cyberattack. Cybersecurity specialist Paul Hafen with tech firm ContentKeeper says he’d also expect the city to be pouring tens of thousands at a minimum right now into beefing up its defenses.
A city spokesperson said the city is currently expanding its cybersecurity training and addressing “the specific vulnerability exploited by the bad actor.” The city budgets roughly $4 million a year for cybersecurity — 4.7% of the IT budget.
An investigation into who was behind the breach is ongoing, though cyber experts said the city is extremely unlikely to catch the culprit. Very few cyber crimes are solved, according to Norris, the University of Maryland professor, with many breaches stemming from hackers in foreign countries hostile to the U.S., such as Russia or China.
City officials said they remain optimistic.
“The City is hopeful that the perpetrator(s) of this crime will be held accountable and that funds will be recovered,” Belding wrote.