The City of Santa Fe New Mexico lost $324,000 in a recent cyberattack. This significant financial loss occurred due to a hacker infiltrating an online vendor portal. The hacker successfully diverted a payment intended for roadwork contractor GM Emulsion. These stolen city funds were then sent directly to a fraudulent bank account. Santa Fe city officials were first informed about this cyberattack on Monday this week. Wells Fargo Bank was the institution that notified the city about the theft. City Manager Mark Scott officially confirmed these unfortunate details in an interview on Tuesday. This incident highlights ongoing vulnerabilities in municipal online payment processing systems.
The theft of these public funds is now being thoroughly investigated by multiple agencies. The Santa Fe Police Department is actively involved in this ongoing criminal investigation. Other law enforcement agencies including the FBI are also currently investigating this matter. City Manager Mark Scott stated they are quite unsure about recovering the stolen money. He said there is a distinct possibility the city might not get the funds back. This uncertainty is partly due to a significant time lag in reporting the incident. This lag occurred between the actual hack and the city’s eventual official notification.
The money was sent from one of the city’s Wells Fargo bank accounts. It was unfortunately transferred to an unfamiliar and clearly fraudulent bank account.
This recent incident might be the City of Santa Fe’s most costly cyberattack yet. However this was not the first time the city has faced such an attack. A somewhat similar incident also occurred in the year 2023 involving vendor payment. That previous attack involved a vendor payment of $35,311 that was illicitly diverted. The city was fortunately able to recoup all but $2,643 of those funds. Santa Fe-based GM Emulsion currently has millions of dollars in city road contracts. This includes a large on-call contract valued at approximately eight million U.S. dollars.
The stolen $324,000 payment was for specific work the company did at Santa Fe Airport.
The City of Santa Fe has assured GM Emulsion it will still receive payment. The roadwork company will eventually get a check for the full amount of stolen funds. However it remains quite unclear if the city itself will ever recoup the money. City Manager Scott said he was told any recovery process would likely take months. This process would probably take at least several months if funds are recoverable at all. This cyberattack underscores the significant risks associated with online vendor payment portal systems. It also clearly demonstrates the major challenges in recovering any electronically stolen public funds. Stronger cybersecurity measures are evidently needed to protect all public financial transactions.
Reference:
