Moline paid $421,000 to scammers a year ago, but city officials kept it quiet [Quad City Times, Davenport, Iowa]

Nov. 6—The city of Moline paid $421,000 to scammers nearly a year ago, yet city leaders kept the information quiet, leaving taxpayers in the dark.

The city's liability insurance covers most of the loss, with the city responsible for $10,000 to $20,000, City Administrator Bob Vitas wrote in an email in response to questions from a reporter. Finalization of a settlement and an investigation by the Moline Police Department and federal agencies remain underway, Vitas wrote.

When asked in a Freedom of Information Act request for city emails and an insurance claim related to the theft, Moline's legal department responded with several reasons for keeping all information private. Returned were 187 pages of emails with nearly everything redacted except greetings, recipients, and signatures.

The FOIA response cited concerns about the safety of law-enforcement officials conducting the investigation, attorney/client privilege and claims that information contained in emails could reveal details about the city's security system.

Vitas did not disclose the exact amount of money stolen when asked.

"The city of Moline maintains liability insurance policies that protect the city against ransomware attacks, wire fraud attacks and other forms of cyber-attacks," Vitas said. "On a good note, I can let you know that the city's liability in this matter is limited to between $10,000 and $20,000 as yet to be determined. Given the sensitive nature of this investigation and our ongoing cooperation with investigating federal authorities, I am not at liberty to discuss details of the investigation."

More than $420,000 stolen

Dick Potter, who served as 4th Ward Alderman for 18 years, said Friday he was disappointed about the secrecy. He disclosed details of the theft, including the fact that nearly a half-million dollars of taxpayer money was stolen.

"We got hacked a year ago. It was a lot of money," Potter said. "I can verify that last December, a wire transfer through the city of Moline in the neighborhood of over $420,000 was sent to the wrong party. It was all covered with liability insurance and our losses were minimal.

"I wouldn't have had a problem with issuing a press release. I think that would have been appropriate."

Similar cyber hacks in Rock Island County and LeClaire were disclosed to the public. Rock Island held a press conference to discuss the loss of about $115,000; LeClaire listed the cyberattack on a city council agenda and responded to questions about it when asked. LeClaire officials said they paid out more than $222,000, but had recovered about $120,000 so far. In both municipalities, scammers posing as vendors sent emails to city staff, asking them to change payment methods.

Potter said the Moline theft was discovered when a longtime city vendor called to say they had not been paid. The vendor was confused since the city normally paid invoices right away.

"That's when the problem was discovered by the vendor," Potter said. "That's when we were alerted something was wrong."

'Taking legal avenues'

When the theft occurred in December 2020, Aldermen Scott Williams, Ward 1; Mike Wendt, Ward 3; Sam Moyer, Ward 5; and Michael Waldron, Ward 7; were on city council at the time. New council members were only made aware of the theft when a Quad-City Times/Dispatch-Argus reporter requested information.

Moyer confirmed the theft was discovered when a contractor called the city and said they had not been paid.

"We were told (the city) didn't want to discuss it because they were taking legal avenues," Moyer said. "We only heard about it again when the FOIA requests were made (Oct. 28). We were trying to figure out why (aldermen) weren't briefed on it. We have lots of questions.

"I remember there were a couple other big issues going on," Moyer said. "When we found out about (the theft), it was an email saying they were working on recovering it; they said there would be an investigation and they would let us know."

When asked why the public wasn't notified, Moyer said an email sent to city council members stated the matter "was confidential while they investigate. Our instructions were to let them do their job and they would get back to us."

Williams, Wendt and Waldron could not be reached for comment.

Mayor Sangeetha Rayapati, who defeated Stephanie Acri in the April 6 municipal election, confirmed Friday that none of the new council members knew about the situation until recently.

"There has been no intention to leave the public in the dark by this new administration," Rayapati said. "With new council and new staff, it's taken some time to get up to speed on this situation. Our staff has been handling the investigation and we're happy to be as transparent about situations such as these that impact the city."

In the city's response to the FOIA request, part of the reason for the redaction took into consideration "the nascent stage of the investigative efforts, the gravity of the offenses, and sensitivity of the attacks against the city and its residual impact against all parties involved.

"Both the city and the federal law enforcement agents participating in the investigation maintain that premature disclosure of these investigative communications would obstruct the ongoing criminal investigation conducted by the city by permitting the suspects, who have not yet been identified, to potentially evade law enforcement authorities and attempt to destroy or conceal relevant evidence regarding these criminal matters."

The Moline Police Department was notified on or before Jan. 12 and an investigation began, according to an unredacted sentence in emails requested.

In his 18 years on council, Potter said this was the only financial theft "of this magnitude."

"Safeguards and new protocols were put in place to make sure it doesn't happen again," Potter said. "In all fairness to staff, this is not an uncommon thing anymore. It happens a lot; it's not an uncommon thing."

Potter defended Finance Director Carol Barnes, saying it was not her fault.

"I was always supportive of staff," he said. "Luckily, we have all the right liability insurance to cover things like this."

An increasingly frequent problem

Cyberattacks, which come in several varieties, have been an increasingly frequent and expensive hazard governmental organizations must contend with.

According to the FBI's most recent data, between 2016 and 2019, business email compromises, which target legitimate transfers of funds through email like in the three Quad-Cities cases, caused more than $26 billion in exposed dollar loss across the globe. Between 2018 and 2019, reports of business email compromises doubled.

Paul Rouse, president and owner of Rouse Consulting Group, said cyberattacks are becoming increasingly more sophisticated and common.

"Really in the last decade, the focus has, I don't want to say shifted, it's included everybody, whether it's the individual at home, a small organization, up to the big guys, and the skill required to launch many of these attacks has come down," Rouse said.

Rouse recommended training, such as sending tests of fraudulent links that mirror a scam to teach employees to be skeptical, especially to requests for wire transfer and time sensitive requests. Verifying change requests by calling or meeting with the vendor can add an extra layer of security.

"Training is the No. 1 tool against that and having a regimented, continuous training process," Rouse said.

Barb Ickes contributed to this reporting.

___

(c)2021 Quad City Times, Davenport, Iowa

Visit Quad City Times, Davenport, Iowa at http://www.qctimes.com

Distributed by Tribune Content Agency, LLC.