State and federal agencies are investigating a sophisticated financial hack of $81,000 carried out as the town paid its engineering firm $81,000 for work conducted as part of the town’s wastewater project.
The town has two insurance policies that will cover the financial loss, subject to the town’s $1,000 deductible.
Waitsfield has been working with engineers from DuBois and King on Waitsfield planning and engineering for several years. The breach occurred when an ongoing email chain between DuBois and King employees and town employees was hacked mid-stream, meaning the email chain had been ongoing when one letter of one recipient’s email was changed.
That allowed financial data relating to ACH transfer to be exploited, explained Waitsfield town administrator York Haverkamp. He said that this type of a mid-email chain hack is relatively new and/or unheard of according to investigators.
The breach was discovered at the end of last week when town treasurer Steve Lewis, received a second invoice for $81,683 from DuBois and King, after the town paid that invoice electronically on April 7.
Haverkamp explained that the town received notice in mid-March that DuBois and King was transitioning from check payments to ACH transfers and the select board discussed the change at a meeting before approving the April 7 payment.
The $81,683 invoice was first received in January, sent to Lewis, the town administrator and planning director JB Weir from Eric Hildenbrand at DuBois and King. In early February, D&K corrected the invoice due to a numbering issue and provided a revised version. Engineer Jon Ashely who has worked with the town since the beginning of the wastewater project was looped into the chain.
The town paid, via ACH in April and last week on May 22 Lewis received another invoice from the engineering company which was followed up by a phone call on May 23.
“After looking into the records, Steve identified a subtle but critical issue: in the mid-March email, Eric’s email address had changed slightly –from "@duboisking.com" to "@dubcisking.com." The alteration was nearly invisible. Later in the same thread, “Jon Ashley” was looped in, but his email was also a spoofed version of the legitimate address. There is a second, separate email chain that also appears to be fraudulent,” Haverkamp explained to the board in an email late last week.
Once the breach was discovered Haverkamp, Lewis and Weir filed a report with authorities, contacted their insurance, reported the event through the FBI’s cybercrime portal and revisited the town’s security protocols with its IT consultants. Haverkamp said he still needs to report the incident to the Vermont Attorney General’s office.
“We are moving quickly to prevent anything like this from happening again. I’ll begin the process of migrating our systems to .gov email addresses next week. It’s a complex and lengthy task, but a crucial step in strengthening our defenses,” he added.
More information will be shared at upcoming select board meetings going forward.
