A small school district in Pennsylvania was recently the victim of a cyber attack. While there is nothing unusual about another cyber attack story, what I did find interesting about the story was the number of failures that occurred that nobody picked up on.
Beaver school district was initially scammed out of $700,000. It was able to get back $300,000 and is still trying to claw back the rest. Although the details are sketchy, cyber attackers used the antiquated Automated Clearing House (ACH) to pull off the attack.
First, the attackers used a computer virus to hack into the school district's computers. We don't know what type of virus or the circumstances around how it got on the machines, but similar attacks had put keylogging software on the computers to capture account information. Second, a red flag should have been sent up when it appeared that the school district added 42 employees from as far away as California and Puerto Rico. Keep in mind that the school district is located in Pennsylvania. Third, the school district's bank, ESB, received 74 transfer requests within a four-day period. Fourth, this was unusual activity for the school district, but unusual activity does not always trigger a red flag at ACH. Fifth, the bank should have only accepted a transfer from the school district's payroll account. These transfers came from its tax account. Sixth, the contract with the bank states that only certain appointed people can authorize transfers. But these transfers came from a non-authorized person. Finally, an investigator close to the case stated that the ACH system is old and lacked controls.
We could add more failures to the list, too. Why wasn't this discovered internally? Why wasn't the virus picked up by the virus scanning software? Where were the financial controls? Why didn't the auditors pick up the activity?
Any one of these failures could have allowed an attacker to steal money from the school district. Multiple failures in the school's system and in the bank's system just made it plain easy. IT Business Edge's Kara Reader notes that IT is overwhelmed by the speed at which exploits are released and that it takes companies up to 30 days to respond to fixing vulnerabilities. As we hear about these incidents, we should be using them as case studies and asking ourselves, "could this happen to my company?"