Cybercrime logo

UPDATED June 12: Cybercrime has come to town in a big way. The Town of Arlington revealed at 5:45 p.m. Wednesday, June 5, that it had been hacked to the tune of nearly half a million dollars.

Parties unknown used numerous techniques to impersonate an Arlington High School vendor for more than four months, during which time the thieves diverted town payments to themselves. A town statement said the investigation found that this "threat-actor activity" occurred in the town’s Microsoft environment between Sept. 12, 2023, and Jan. 30, 2024.

The statement said other recent attempts to intercept wire payments totaled abouty $5 million during this time period, but these attempts were unsuccessful. It was further determined that the threat actors had not infiltrated the network.

Attack from overseas

It is believed that the attack was "perpetrated by an organization that is well resourced and located overseas," the statement says.

The situation has been undergoing diligent investigation ever since but, to preserve the integrity of that investigation, could not safely be publicly revealed until this month, the town statement said. Officials say that no data involving residents or any other sensitive information has been compromised. They also emphasize that, even though the fraud relates to the ongoing reconstruction of Arlington High School, that project will continue to go forward as planned.

ACMi interviews Town Manager Feeney:

"Through what is known as a business email compromise (BEC), perpetrators used phishing, spoofing, social engineering and compromised email accounts to ultimately facilitate wire fraud totaling $445,945.73," Town Manager Jim Feeney said toward the beginning of a lengthy news release on town letterhead. Toward the end of that statement, Feeney said that BEC offenses -- which are just one form of cybercrime -- are a near-$3 billion illegitimate industry, according to the FBI.

Read the entire town news release here >>

Closed meeting address crime

Wednesday evening's meeting of the Arlington School Committee, which oversees Arlington Public Schools, also known as the town's School Department, concluded with an executive session to "discuss the deployment of security personnel or devices, or strategies with respect thereto." No report back to open session was made or expected.

Contacted via email Thursday morning, Committee Chair Paul Schlichtman confirmed that the closed-door meeting was about the cybercrime. "This was a very sophisticated attack," he said. He added that "there are sufficient unspent contingency funds to cover the loss, and money recovered from our insurers will be used to replenish the contingency funds." He also noted that Feeney in the statement explained 'that this loss does not negatively impact the completion of the High School Building project in any way.' "

The town statement from Feeney includes the following. "At  [its Tuesday] June 4 meeting, the Arlington High School Building Committee voted to authorize payment to the vendor from the project funds. Any monies we recoup from this fraud will go back into this [AHS reconstruction] fund."

The statement also notes that "The matter was actively under investigation by law enforcement and our banking institution and could not be made public until these investigations were complete" and that "The Town of Arlington immediately contacted local and federal law enforcement agencies, including the Federal Bureau of Investigations and Secret Service, of the fraudulent payments, as soon as the fraud was discovered."

YourArlington has requested additional details.

This news announcement was published the evening of Wednesday, June 5, 2024, based on a news release from the Town of Arlington. It was updated Thursday, June 6, with a comment from Arlington School Committee Chair Paul Schlichtman as well as additional excerpts from the release about the situation. A cybercrime logo was added June 7, and an ACMi video June 12.