Cyber Incident Victim: City of Portland
Date:
Apr 2022
Location:
United States of America
Summary
The City of Portland experienced a cybersecurity theft involving $1.4 million diverted through a fraudulent wire transfer after unauthorized actors compromised a housing bureau employee’s email via phishing, enabling impersonation of a legitimate vendor. Treasury officials initially flagged banking discrepancies, but confirmation was mistakenly obtained from the perpetrator, allowing the transfer to proceed. Attackers maintained access for approximately one month, attempting a second unsuccessful transfer before detection. Funds were stolen from general city accounts, though the intended affordable housing contractor was later reimbursed. Investigations involving law enforcement found no employee misconduct, while partial recovery was achieved through cybersecurity insurance. The breach prompted internal reviews and enhanced security measures amid ongoing efforts to identify the perpetrators.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 25, 2022, the City of Portland processed a $1.4 million wire transfer intended for Central City Concern, a nonprofit developing the Starlight affordable housing project. The City Treasury had flagged discrepancies in the beneficiary account name prior to the transfer, warning housing bureau staff that mismatched names often indicated fraud. Despite these warnings, two housing bureau finance officials confirmed the banking details after communicating with an entity they believed represented the nonprofit. Unbeknownst to them, they were corresponding with a cybercriminal impersonating Central City Concern’s treasury manager via a compromised City email account. The attacker had gained access days earlier through a phishing scheme that tricked a housing bureau employee into disclosing login credentials. After the Treasury released the funds based on the fraudulent confirmation, the hacker maintained control of the breached email account for approximately one month, enabling further unauthorized access from global locations including Texas, Germany, and Nigeria via VPNs. A second fraudulent transfer attempt on May 17 alerted the City to the breach, but by then the initial $1.4 million had already been routed to an East Coast account and vanished. Investigators later determined the attacker had exploited known system vulnerabilities to manipulate wire transfer processes and impersonate legitimate vendors.
Following the detection of the second fraud attempt, the City activated a cyber incident response team, notified the FBI, U.S. Secret Service, and Portland Police Bureau, and placed three housing bureau employees involved in the initial transfer on administrative leave. A police investigation cleared the employees of criminal wrongdoing, and all returned to work. The City reimbursed Central City Concern the stolen $1.4 million from General Fund dollars, confirming no housing bond funds were affected. Cybersecurity insurance is expected to recover approximately $500,000 of the loss. Internal reviews revealed the attacker’s prolonged access allowed them to monitor communications and attempt further fraud, though no additional funds were stolen. The City initiated measures to address the exploited vulnerabilities, expand employee cybersecurity training, and enhance email authentication protocols. Annual cybersecurity expenditures totaling $4 million—4.7% of the IT budget—were already in place, but officials anticipate increased insurance premiums and additional costs to fortify defenses. Law enforcement investigations remain ongoing, but experts consider recovery of the full amount or identification of the perpetrators unlikely due to the transnational nature of such crimes. Construction of the Starlight project proceeded without delays.