Cyber Incident Victim: Portland Public Schools
Date:
Aug 2019
Location:
United States of America
Summary
Portland Public Schools fell victim to a business email compromise scam, resulting in employees wiring $2.9 million to fraudulent accounts. The district swiftly detected the unauthorized transactions, engaged the FBI, and successfully froze the funds before they were withdrawn, with full recovery anticipated. Two employees involved in approving the transfer were placed on paid administrative leave, though preliminary findings indicated no internal criminal involvement. The incident prompted an immediate review of payment protocols, vendor management, and financial controls, alongside mandatory fraud prevention training for all finance staff. External experts were enlisted for an independent investigation of security practices and financial procedures to prevent future occurrences.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Portland Public Schools, a PK-12 urban school district in Oregon serving over 49,000 students across 81 schools, experienced a business email compromise (BEC) scam in mid-August 2019 that resulted in the fraudulent transfer of approximately $2.9 million. District employees authorized a wire transfer to an attacker-controlled account after receiving deceptive communications impersonating a trusted entity, though the specific impersonated party was not disclosed. The fraudulent transaction was detected on Friday, August 16, 2019, prompting immediate notification to the FBI through established internet crime reporting protocols. Superintendent Claire Hertz confirmed the district simultaneously launched an internal investigation to determine the origin of the transaction and evaluate why procedural controls failed to prevent it. The funds were successfully frozen before being moved out of traceable accounts, with confirmation from both banking partners and federal investigators that the full amount would be returned to district accounts.
Two employees responsible for approving the fraudulent transfer were placed on paid administrative leave pending further review, though preliminary findings indicated no criminal involvement by district personnel. The incident triggered comprehensive operational changes including an immediate review of all payment procedures, vendor account management protocols, and fund transfer authorization processes. Mandatory updated fraud awareness training was implemented for all finance department staff, with completion required before any payment authorization privileges could be restored. The district engaged external experts in cybersecurity, financial controls, and workplace fraud to conduct an independent investigation, while their external auditor initiated a separate review of financial controls and vendor management systems. These response measures occurred alongside a forensic examination of historical transactions to identify potential prior compromises, though no evidence of additional fraudulent activity was disclosed publicly. The financial recovery mitigated direct monetary losses, but the incident exposed vulnerabilities in payment verification processes that necessitated systemic procedural reforms across the district's financial operations.