Cyber thieves hit Gregg County for $200K
Dec. 6, 2010 at 6 p.m.
An international cyber attack on the Gregg County Tax Assessor has cost at least seven taxing entities a total of about $200,000, officials said Monday. Other Texas counties could also be victims.
The cyber theft hijacked local tax payments from a daily electronic transfer, that day totaling $690,000, destined for schools and cities in what tax assessor/collector Kirk Shields described as the first such incident he's seen in his 14 years leading the department. He spent Monday afternoon informing the entities how much each had lost.
News of the theft over a week ago prompted an immediate change in the county's method for moving funds.
"As long as I'm tax collector, we will never go back to sending out money electronically again," Shields said. "It's the first time we've had anything like this."
County Information Services Director Cindy Romines said a countywide halt has been put on all electronic funds transfers, called automated clearinghouse transfers.
The theft appears to place Gregg County among governments and banking systems worldwide that have been successfully attacked by malicious software, or malware, going by the name of Zeus Trojan horse.
Gregg County Judge Bill Stoudt said the same scam may have attacked other Texas counties.
"It's an ongoing investigation," he said. "But I understand from some of the law enforcement agencies it has (hit other counties). I don't know what those counties are."
Investigators with the U.S. Secret Service, the Texas Department of Public Safety and Gregg County District Attorney's Office are investigating the Nov. 23 attack in Gregg County. The software allows the thieves to change routing and account numbers of electronic transfers in order to redirect them to destinations they choose.
Once the funds are misdirected, so-called money mules withdraw cash from the accounts.
The malware is activated when a computer user in the target agency clicks on a link in an e-mail or a website. Shields said a Gregg County employee who mistakenly unleashed the program was suspended for violating county cyber-security policy.
Reversing the transaction
Shields learned of the infiltration Nov. 26, the Friday after Thanksgiving.
"That's when all the activity started from our end and with the banks," he said. "Our goal is to reverse that transaction that went out. Not all the funds have been retrieved, or will be retrieved."
Investigators traced the malware to an associated website.
"The website is identified in Moscow, Russia," Shields said.
The ongoing investigation prevented him from fully disclosing details, including which seven taxing entities were victimized.
The tax office contracts with 14 taxing entities across Gregg County to receive and distribute payments. The theft occurred when the payments were being moved from Shields' office to Texas Bank and Trust for distribution.
The crime was discovered in progress when a bank in Tennessee that was receiving funds contacted Texas Bank and Trust, Gregg County's bank of record, Shields and bank President and CEO Rogers Pope Jr. said.
In between the arrival of the transaction file at the bank and its processing, Pope said, "The criminals from Russia changed the routing and account numbers for certain of the entries within the (automated clearinghouse) file. Within a matter of minutes that happened."
It appears, he added, the thieves had been watching for a juicy transfer to seize.
A News-Journal survey of Gregg County taxing entities Monday afternoon revealed some of the victims of the theft. Those entities included the city of Kilgore, Longview ISD, Kilgore ISD, White Oak ISD, Sabine ISD, and Spring Hill ISD.
Longview ISD said its transfer that day included $274,000, but officials were unsure Monday how much remained missing. Sabine ISD and Spring Hill ISD each lost about $20,000. Officials in White Oak ISD and Kilgore ISD also were hit, but were uncertain how much was stolen.
The city of Kilgore suffered a five-digit tax loss from the attack, while Longview and White Oak were unscathed, officials said.
City of Kilgore assistant finance director Lawanna Williams said Kilgore was missing $17,548 in property taxes. She contacted the Texas Municipal League on Monday to learn whether the city is insured for the loss, but the league is remaining silent until the city makes its official claim for review.
Officials in Longview and White Oak reported no losses in property taxes due to the attack. Both have converted to a manual process for depositing checks with the Gregg County tax office, Hara and Robert said.
Lakeport's city secretary reported no losses from the county tax breach.
The county judge said the county is forbidden by state law from using its own tax revenues to repay the entities. He expressed hope the county can find a way to help the victims.
"I would think we would want to make whole anybody that does take a hit," Stoudt said. "I'm angry. And we're going to work with the law enforcement agencies to get to the bottom of what took place."
Pope added the malicious software already was at work when the fund transfers arrived from the county. He said other bank customer online transactions are secure.
"Our technology, for this very reason, is scrutinized very heavily by state and federal regulators," he said, adding that a third-party cyber auditor backs up those regular inspections. "And, very thankfully, we have never had a successful compromise of the bank's computer systems in any way."
Staff writers Jimmy Isaac and Christina Lane contributed to this report.