Cyber Incident Victim: New Haven Public School District

On or around May 1, 2023, threat actors initiated a cyberattack against New Haven Public Schools by gaining unauthorized access to the email account of the district's Chief Operating Officer, Thomas Lamb. This initial access provided the attackers with a platform to conduct a business email compromise scheme. Using the compromised email account, the attackers impersonated two legitimate business partners of the school system: Shipman & Goodwin, a law firm under contract with NHPS, and First Student, the district's bus contractor. The attackers then crafted and sent a series of fraudulent electronic transfer requests to the city's finance department.

Between late May and mid-June 2023, the attackers submitted seven separate fraudulent requests for payment. The city's budget office, processing these requests that appeared to originate from a trusted high-level official and were disguised as communications from established vendors, authorized six of the seven transfers. The total amount of these unauthorized transfers was slightly over $6 million. The theft went undetected for a minimum of two weeks. The incident was ultimately discovered when the legitimate bus contractor, First Student, contacted the city to inquire about a missing payment. This inquiry prompted the budget office to review the transactions and identify the fraudulent activity. Upon this discovery, the city was able to block the seventh and final transfer request, preventing further loss.

Mayor Justin Elicker publicly disclosed the incident in August 2023, confirming that $6 million had been stolen from the school system. He characterized the act as "unbelievably unethical" and emphasized that the stolen funds were taxpayer money intended for the benefit of children within the school district. The city administration immediately partnered with the Federal Bureau of Investigation to investigate the crime and attempt to recover the stolen funds. Through these efforts, the city successfully recovered $3.6 million of the $6 million that was stolen. Mayor Elicker expressed optimism that additional funds might be recovered and noted that the city was also working with its insurance company, which could potentially cover a portion of the remaining financial loss.

In response to the security breach, the City of New Haven initiated a comprehensive review of its policies and systems. Concerned that security shortcomings might extend beyond the school district to the city government itself, administrators engaged external cybersecurity experts. These experts were tasked with conducting an independent, third-party investigation into the attack to determine its root causes and to recommend strengthened security measures. The city's IT department began working with these experts to strengthen cybersecurity defenses and to develop new policies to prevent a similar incident from occurring in the future. As part of the internal response, a finance department employee was placed on paid administrative leave pending the outcome of the investigation. The subsequent third-party investigation found that this employee had not violated any existing city policies and was not at fault for authorizing the fraudulent transfers. The employee was subsequently reinstated to their position.

New Haven Public Schools communications director, Justin Harmon, stated that the theft was "outrageous" and confirmed that the district was fully cooperating with investigative authorities. He further noted that NHPS was working with cybersecurity experts to make its systems more secure, though no further specific details on the security enhancements were publicly disclosed. Mayor Elicker stated that the city chose to be transparent about the attack and went public as soon as investigators permitted it, a decision later praised by a cybersecurity expert for its openness compared to other government entities that might seek to conceal such incidents. The city also reinforced its commitment to employee training, with Mayor Elicker noting that employees regularly undergo email safety training to improve awareness of threats like phishing and social engineering attacks.

The primary impact of the incident was a direct financial loss of $6 million from the New Haven Public Schools system. While $3.6 million was recovered, the net financial impact remained a loss of $2.4 million, with the potential for insurance to reduce this figure. The event disrupted the normal financial operations of the school district, as evidenced by the delayed payment to its bus contractor which triggered the discovery. The incident also necessitated a significant expenditure of time and resources on the part of city administrators, the IT department, and external consultants to investigate the breach, recover funds, and overhaul security protocols. While the investigation found no malicious intent or policy violation by the city employee involved, the event still resulted in a temporary personnel action with that individual being placed on leave. The attack highlighted the vulnerability of public school systems and municipal governments to targeted business email compromise schemes, a common frontline cybercrime according to experts.