The FBI is investigating the theft of nearly a half million dollars from tiny Duanesburg Central School District in upstate New York, after cyber thieves tried to loot roughly $3.8 million from district online bank accounts last month.
On Friday, Dec. 18, thieves tried to electronically transfer $1.86 million from the district’s account at NBT Bank to an overseas account. The following Monday, the attackers attempted to move another $1.19 million to multiple overseas location. It wasn’t until the next day, when transfers totaling $758,758.70 were flagged by a bank representative as suspicious, that the two previous unauthorized transactions were discovered, school officials said.
As of today, Duanesburg and its bank have succeeded in recovering $2.55 million of the stolen funds, but the school district is still out $497,000.
Audrey Hendricks, a communications specialist with Duanesburg Central, said the thieves tried to steal more than a quarter of the district’s annual budget, which stands at less than $15 million. The district services about 1,000 students kindergarten through 12th grade in a rural area about 30 miles west of Albany.
Dozens of similar attacks on school districts, cities, counties and small businesses across the country last year have all started with malicious software that helped the attackers steal user names and passwords needed to access the victim’s online bank accounts.
Hendricks said the FBI and the New York State police are investigating, but she said it’s not clear yet whether malicious software played a part in this attack as well.
“At this point, we don’t know exactly how it happened,” Hendricks told krebsonsecurity.com. “The FBI only knows so much, which is unfortunate because we have lots of questions.”
To prevent any district bank accounts from being further compromised, the district closed all of its bank accounts and established new ones with restricted online access, the district said in a letter (.pdf) sent today to families with students in the area.