Was a cyberattack that stole $6 million meant for the public school district’s school bus contractor an inside job? Was it carelessness on behalf of school district and city employees? What on earth happened that so much money could have been sent out erroneously?
Board of Education member Darnell Goldson raised those questions Monday during a press conference focused on just how little information the school board has received to date about the early summer cybercrime.
Goldson hosted the press conference outside of Barack Obama School on Farnham Avenue a half hour before the Board of Education’s latest regular biweekly meeting at that same school.
He said he hosted the presser because the school board’s agenda for the night did not include a briefing or conversation about the cyberattack that Mayor Justin Elicker and top police officials made public late last week. According to the mayor, hackers impersonating the school district’s chief operating officer and a number of local vendors succeeded in stealing around $6 million over the course of six cyberattacks between late May and June. A vast majority of that money was intended for New Haven’s school bus contractor, First Student. With the help of the FBI, the city has recovered roughly $3.6 million of those stolen funds. One city finance department employee has been placed on paid administrative leave as the city investigates whether or not its electronic payment rules were followed appropriately during these cyberattacks. (The school board wound up discussing the cyberattacks and cybersecurity in private during an hourlong executive session at the end of Monday’s meeting.)
Goldson requested on Monday to know more about how the incident occurred and what will be done to make sure it doesn’t occur again.
“I’m concerned that, as the legal stewards of the Board of Education and the New Haven school system’s money, the Board of Education should have been briefed immediately, and we still haven’t been briefed,” Goldson said.
Goldson said he heard a rumor some months ago about a possible theft of money, but didn’t officially get confirmation of the cyberattack until reading local news last week.
He said he received a call an hour before last weeks’ presser from the schools superintendent saying money was stolen and that a press conference was being hosted. Goldson said he asked several questions and got no answers yet about the incident.
He criticized the framing of the cyberattack as a hacking of the system. He described it instead as “carelessness on the part of our leadership at City Hall to protect our money.”
“Maybe they have a good answer, but they haven’t told us,” Goldson said.
Goldson said, while on the Board of Education for the past seven years, he’s advocated for safeguards to be in place for contracts requesting any amounts of money from the district. (Click here and here to read past stories about Goldson’s push for more fiscal responsibility in the school disrtict.) At Monday’s Board meeting, Goldson voted against a purchase order with Valley Communications Systems Inc., that already allowed work without the Board’s official approval.
“I’m wondering usually when we see these kinds of things, there’s usually some kind of inside activity around it,” Goldson said during the pre-meeting press conference. “When you lack those kind of controls, those simple kind of controls, it’s usually because someone wants to make sure that those controls are not there so that they could do something. I don’t know if that’s the case or not.”
He also asked who was put on leave due to the incident and why only one person involved was put on leave. (New Haven Public Schools Chief Operating Officer Thomas Lamb, who has not been placed on leave, declined to comment for this story. He said he’s still been able to do his work as COO despite the incident, which saw hackers impersonate him in their successful bid to get the city’s finance department to send out electronic payments.)
Goldson concluded that the city and school district must improve its systems to avoid allowing several money transfers to be made without requiring steps to confirm the money was received by the correct party.
“The mayor’s been mayor for four years, he should’ve did that a long time ago,” Goldson said.
After Monday’s meeting, Elicker said the city has taken many steps over the years to strengthen its cybersecurity systems. He added that the city has a fund balance that will be used to make sure that these cyberattacks do not impact students’ transportation needs as the new school year approaches.
He added that the city and school leadership is releasing as much information as possible to the public but wants to avoid releasing specifics on its security plans to avoid giving hackers information on how to attack again.
“One of the issues that he [Elicker] raised four years ago when he was running against the former mayor was about transparency and the fact that someone in her office had used up a credit card without authorization,” Goldson said during the presser. “He made a huge deal about that you would think that he would of put some checks and balances in place so those kinds of things didn’t happen again but it happens on his watch and it happened for a whole lot more money.”
Local contractor and Newhallville native Rodney Williams offered his support for Goldson at Monday’s press conference. Williams pointed out that Goldson is the sole Board member asking questions and being the voice of the community with request for transparency.
Certified Public Accountant and alder candidate for Ward 25 Dennis Serfilippi and Ward 8 alder candidate and cybersecurity student Andrea Zola also joined the press conference.
“I was shocked but I wasn’t surprised,” Serfilippi said.
Serfilippi added that he’s been long warning the city about its financial oversight issues with a lack of an active Finance Review and Audit Commission (which he’s applied to be on in the past) and a full time controller for the past three years.
“I don’t think he has interest in replacing it because the position is posted on the city website but the salary is $50,000 or $60,000 below market,” Serfilippi concluded.
Zola asked what the city’s future plans are to keep the city safe from future risk of spear-phishing attacks.
For the last hour of Monday’s Board meeting, members met in private executive session with Superintendent Madeline Negrón to discuss the cyberattack and updates on cybersecurity efforts.
And in a separate Monday afternoon phone interview with the Independent, Elicker spoke about how challenging it’s been to fill the vacant city controller and city chief technology officer positions.
“We have had that open for a very, very long time,” Elicker acknowledged about the city controller position, which oversees the city’s finance department. The role “requires someone with very particular expertise.” He noted his administration’s push to increase salaries and remove residency requirements for department heads to try to make easier to fill such a role.
As for the chief technology officer position, which was first created in July 2022 and has been vacant ever since, Elicker said the city has taken longer than he had hoped to hire someone for that position — in part because he wanted to make sure that the new schools superintendent stepped into her job and had a say on the hire before a new chief technology officer was brought on board. He said the city is actively reviewing applications for that role and is hoping to hire someone soon.
Thomas Breen contributed to this report.