Sophos Cloud Optix
The town of Burlington, Washington has warned residents that they could be the targets of identity theft, after hackers compromised a number of town systems used to run an online automatic utility billing system and emptied $400,000 from a city bank account.
In a notice posted on the town’s website, Bryan Harrison, the City Administrator, said that a city-run automatic payment system – that was used by residents to pay sewer and storm drain charges – was compromised.
“If you are enrolled in Autopay, you should assume that your name, bank, bank account number and routing number have been compromised,” Harrison warned.
The announcement follows local media reports in the small, Pacific Northwest town that more than $400,000 was stolen from a Bank of America account belonging to the city.
The money was taken via a number of illegal wire transfers over a two day period, according to one report.
Located 66 miles north of Seattle, Burlington is a former logging town that is now best known as the home of a large, regional shopping mall complex. Calls and email to the Burlington Finance Department were not immediately returned.
In addition to the city sewer customers, the hackers grabbed bank records for city employees that used a direct deposit program. Victims were notified that their account information was compromised and advised to close any bank accounts used for direct deposit, or notify their banks.
The City Finance Department discovered the breach after noticing the illegal transfers on Friday. The US Secret Service is helping local police officers investigate the crime, as is the Puget Sound Electronic Crimes Task Force, according to the report.
Small cities and towns are common targets of cybercriminal hacking groups, who take advantage of loosely secured or misconfigured systems, or gullible employees to gain a foothold on municipal systems and access bank accounts used by town government.
Lawmakers in the United States have even considered extending consumer fraud protection to towns, schools and city governments, after a string of electronic heists affecting municipalities nationwide.
Hacker image from Shutterstock.
What they need to do is stop exempting cities and towns from the same procedures and guidelines that the private sector must meet when storing and keeping data safe.
Many states exempt gov agencies from whatever new regulations they put in place, (they usually are also exempt from lawsuits) yet when you think about it the gov agencies have more personal data than anyone else. City hall, police, fire, etc, all have databases and information on city residents. A few examples; medical calls, billing info, domestic disputes, ss# and birth records.
Email is weak, systems are way out of date, bad policies, really easy to social engineer, weak passwords, internal servers and systems and not hardened against attacks, etc, etc….
What rights and legal protections do citizens have to refuse to give local municipalities personal information such as social security number & bank account information when our cities are not equipped to protect that information?
Well, you can always decline to enroll in AutoPay or direct draft schemes. The city may require you to put down a hefty deposit, but you can insist on monthly billing paid by mailed personal check.