A recent incident in Bazetta Township, Ohio, has highlighted the critical importance of cybersecurity in local government operations. Trumbull County Auditor Martha Yoder disclosed that a disabled security feature led to a significant hacking event, resulting in the fraudulent transfer of over $100,000 in tax dollars to an unauthorized bank account. The incident unfolded after the township’s fiscal officer had requested the disabling of multifactor authentication (MFA) for their Microsoft Office 365 account, which ultimately compromised the account’s security.
According to Yoder, the breach occurred when hackers gained access to the fiscal officer’s email account and sent fraudulent communications to the county auditor’s office. These communications directed the office to transfer funds to a new bank account, purportedly belonging to the township. An investigation revealed that the unknown sender successfully intercepted eight transactions totaling $160,857.18, which were meant for Bazetta Township. The county auditor’s office was notified of the incident on September 3, but it was determined that the account could have been compromised weeks earlier.
The Auditor’s office emphasized that the disabling of MFA directly contributed to this security breach. Yoder stated, “If that fiscal officer had not had that multifactor authentication taken off, they would have never been hacked, and none of this would have happened.” She also indicated that the IT department of Bazetta Township may have turned off the MFA without the trustee’s knowledge or permission, further complicating the issue of accountability.
In response to this incident, Yoder underscored the need for Bazetta Township to acknowledge its role in the hacking event. She noted that the county has now instituted a formal policy to prevent unauthorized changes to bank accounts and has called for additional oversight in such financial matters. There are potential avenues for recovering the lost funds, as Ohio law stipulates that a township fiscal officer may be held liable for negligence leading to financial losses. This incident serves as a stark reminder for local governments to prioritize cybersecurity measures and maintain robust authentication protocols to protect public funds.
Reference:
