Cyber Incident Victim: Massachusetts Clean Energy Center

On January 9, 2017, the Massachusetts Clean Energy Center, a quasi-public state agency, transferred $93,679 of public funds to a fraudulent bank account controlled by a cyber scammer following a phishing attack conducted via email. The agency processed the wire transfer under the false belief it was a legitimate transaction, only discovering the theft in February 2017 during routine financial reconciliation. Despite identifying the fraud internally within weeks of the incident, the agency’s board of directors remained uninformed for eight months, delaying oversight and accountability measures. The phishing scheme exploited standard business email processes, though specific technical details of the attack vector were not disclosed in public reports. No evidence suggested broader system compromises beyond the fraudulent transfer.

State Auditor Suzanne M. Bump’s subsequent review confirmed the theft and highlighted the delayed disclosure to the board as a failure in governance protocols. The audit did not identify additional financial losses beyond the initial $93,679 but underscored operational vulnerabilities in fraud detection and reporting. The Massachusetts Clean Energy Center publicly acknowledged the incident following the audit’s release, attributing the theft to a phishing scam without elaborating on internal disciplinary actions or procedural changes. The financial impact represented a direct loss of public funds allocated for clean energy initiatives, though the agency’s broader operations reportedly continued without disruption. The incident remained under scrutiny as a case study in delayed breach notification within state-affiliated entities.