Cyber Incident Victim: US Virgin Islands Water and Power Authority
Date:
Jun 2019
Location:
United States of America
Summary
The Water and Power Authority suffered a business email compromise attack involving a fraudulent email that facilitated an unauthorized transfer of $2.3 million to an unidentified bank account. The incident was reported to federal authorities, including the FBI, prompting the utility to implement staff training on identifying suspicious communications. Separately, the Virgin Islands Police Department detected a cyber targeting attempt, which was also escalated to federal investigators. Local officials acknowledged collaborating with the Department of Homeland Security to enhance monitoring of public-facing cyber systems, though no additional budgetary allocations were designated for these security improvements at the time. The territory's court system reported similar suspicious email incidents but mitigated them through existing quarantine protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early June 2019, the U.S. Virgin Islands Water and Power Authority (WAPA) disclosed a $2.3 million theft resulting from a Business Email Compromise (BEC) scheme. CEO Lawrence Kupfer reported to a territorial Senate committee that fraudulent electronic correspondence, appearing legitimate, facilitated an unauthorized transfer of funds to an unidentified external bank account. The attack was promptly reported to federal law enforcement authorities, though specific detection timelines and technical methods used by the perpetrators were not publicly detailed. This incident occurred amid a broader surge in cyberattacks targeting municipal entities across the United States, with at least 23 local governments experiencing malware or ransomware incidents in the first half of 2019 alone. Concurrently, the Virgin Islands Police Department experienced a separate cyber intrusion attempt, which was detected and reported to the FBI according to Government House Communications Director Richard Motta.
WAPA responded by implementing mandatory staff training programs focused on identifying suspicious email characteristics to prevent future social engineering attacks. The territory’s court system administrator, Regina Petersen, separately disclosed recurring suspicious email incidents within judiciary operations, though these were intercepted through existing quarantine protocols before causing operational disruption. The Virgin Islands Bureau of Information Technology initiated collaboration with the U.S. Department of Homeland Security to enhance monitoring of public-facing digital infrastructure, though Motta confirmed no additional cybersecurity funding was allocated in the Fiscal Year 2020 budget for these efforts. Financial impacts from the WAPA theft remained confined to the $2.3 million loss, with no documented secondary effects on utility services or additional data breaches disclosed. The incident exemplified a growing trend of financially motivated cybercrime targeting public sector entities, as evidenced by contemporaneous ransomware attacks against Riviera City and Lake City, Florida, which collectively paid over $1 million to recover encrypted data.