Cyber Incident Victim: Capital Region Planning Commission

In 2024, the Capital Region Planning Commission (CRPC) based in Baton Rouge, Louisiana, suffered a cyberattack that compromised its financial systems, allowing unauthorized actors to initiate fraudulent transactions. The attackers gained access to the commission’s financial infrastructure and posed as legitimate vendors, submitting payment requests that resulted in two unauthorized wire transfers totaling $88,073—specifically $78,182 and $9,891—to fraudulent accounts. The breach also affected the commission’s email systems, though the exact method of initial access (e.g., phishing, malware) was not disclosed in audit documents. The incident was discovered during a routine financial audit conducted by the Louisiana Legislative Auditor’s office, which identified discrepancies in payment records and traced the transfers to illegitimate destinations. The fraudulent activity occurred within the commission’s 2024 fiscal year, impacting its governmental activities fund and necessitating adjustments to its financial statements. No customer or resident data was confirmed as exposed, as the attackers focused on financial diversion rather than data exfiltration. The commission’s internal controls failed to detect the vendor impersonation or unauthorized account changes prior to the audit review. This incident represented a direct financial loss equivalent to approximately 3.3% of the commission’s total annual expenses of $2,680,676 for the year, straining operational budgets allocated for transportation planning, economic development initiatives, and federal grant programs across its 11-parish jurisdiction.

Following the discovery, CRPC management immediately reported the incident to multiple law enforcement agencies, including the FBI’s Internet Crime Complaint Center (IC3) and the Louisiana State Police Cyber Crime Unit, while also notifying the Louisiana Legislative Auditor as required by state statutes governing public fund mismanagement. The commission initiated recovery efforts through its cyber insurance policy and engaged its banking institution to attempt fund recovery, though the audit noted these processes were ongoing with no guaranteed restitution. CRPC’s executive leadership acknowledged deficiencies in cybersecurity protocols and vendor payment verification processes during the audit investigation. In response, the commission obtained enhanced cyber insurance coverage, implemented mandatory annual cybersecurity training for all employees, and began developing a formal incident response plan to address future breaches. The legislative auditor’s report recommended strengthening financial system access controls, conducting a comprehensive review of accounts payable procedures, and improving segregation of duties for payment authorization. Forensic analysis by state police remained pending at the time of the audit publication, limiting public disclosure of specific technical vulnerabilities exploited in the attack. The incident prompted CRPC to reallocate $106,439 within its budget to cover bad debt expenses related to the fraud while awaiting potential insurance reimbursements, impacting funding availability for capital projects and grant matching requirements. No disciplinary actions against staff were disclosed, with the audit attributing the breach primarily to systemic control failures rather than individual negligence.