Cyber Incident Victim: Government of Puerto Rico
Date:
Jan 2020
Location:
United States of America
Summary
Puerto Rico's government lost over $2.6 million in a phishing attack after transferring funds to a fraudulent account based on a deceptive email requesting a change to banking details for remittance payments. The Industrial Development Company, responsible for the transfer, reported the incident to the FBI and launched an internal investigation to determine potential negligence or procedural failures. Officials emphasized the seriousness of the breach amid public criticism and the territory's prolonged economic challenges, while attempting to recover the misdirected funds.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 17, 2020, Puerto Rico’s Industrial Development Company transferred $2.6 million to a fraudulent bank account following a phishing email that falsely claimed a change to a banking account associated with remittance payments. The agency’s finance director, Rubén Rivera, filed a formal complaint with police on February 12, detailing the unauthorized transaction. Executive Director Manuel Laboy confirmed the incident publicly the same day, stating officials discovered the fraud earlier that week and promptly notified the FBI. Laboy characterized the event as an extremely serious breach but declined to specify how the scam was detected, whether personnel changes occurred, or the operational impact of losing the funds. The agency initiated an internal investigation to assess potential negligence or procedural failures while collaborating with authorities to recover the money.
The incident drew sharp public criticism amid Puerto Rico’s ongoing 13-year recession, which had already strained government services. Laboy emphasized his agency’s commitment to responsible public fund management but avoided speculating on the phishing attack’s origins or execution. No law enforcement updates were provided at the time of reporting, as police did not respond to inquiries. The financial loss compounded existing economic challenges, though officials did not disclose specific operational disruptions. Recovery efforts and investigations remained active, with no further public details released regarding forensic findings, suspect identification, or disciplinary actions.