ETHS Defrauded Of $48,570 In Hack That Exposed 1,139 Identities | Evanston, IL Patch
ETHS Defrauded Of $48,570 In Hack That Exposed 1,139 Identities
Records reveal 10 Evanston Township High School staff email accounts were compromised last year in a monthslong breach.
Jonah Meadows's profile picture
Jonah Meadows,
Patch Staff
Verified Patch Staff Badge
Posted Mon, Nov 29, 2021 at 6:32 pm CT
|
Updated Mon, Nov 29, 2021 at 6:54 pm CT
Replies (12)
The ETHS alumni office paid a fraudulent invoice for more than $48,000 after staff accounts were compromised last year, prompting questions about financial safeguards at the one-school district.
The ETHS alumni office paid a fraudulent invoice for more than $48,000 after staff accounts were compromised last year, prompting questions about financial safeguards at the one-school district. (District 202)
EVANSTON, IL — Evanston Township High School officials got scammed out of more than $48,000 during a monthslong data breach that also exposed the personal information of more than 1,100 Illinois residents, Patch has learned.
The fraudulent payment was reported to Evanston police, and the data breach was disclosed to the Illinois Attorney General's Office, as is required by law, according to police and school district records obtained by Evanston Patch via public records requests.
Neither the fraud nor the data breach had been made public, until now.
ETHS District 202 representatives have so far declined to answer questions about whether the district's spending safeguards were followed — or whether the incident is connected with the ongoing unexplained paid administrative leave of the district's top two human resources officials.
$48,570 Fraud Reported
District officials reported the payment of a fake vendor's invoice to police on June 5, 2020, according to police reports.
Find out what's happening in Evanston with free, real-time updates from Patch.
Your email address
Let's go!
That afternoon, ETHS Chief Financial Officer Mary Rodino called police to report that someone had "hacked" the email address of David Futransky, the district's executive director of alumni relations and senior director of institutional advancement.
Futransky's email account sent an invoice dated April 13, 2020 — requesting a $48,570 payment as a "professional fee" for a "Detailed analysis of current situation and development for Evanston Township High School" — to Development Specialist Karen Jones, who works under Futransky in the district's alumni department.
The invoice was received on May 22, paid on May 29, and discovered to be fraudulent on June 4, 2020, according to the Evanston police report of Rodino's account.
The purported purpose of the fraudulent payment was "alumni development services," officer Radoslaw Mazur reported.
"The invoice was paid out and did not raise any red flags because ETHS employees work remotely," Mazur said. "Rodino stated that the Information Technology Department at ETHS confirmed the hack."
Wider Breach Discovered
An internal district investigation found that 10 email accounts were accessed without authorization between March 17, 2020, and June 14, 2020, according to a legally required data breach notification sent to the attorney general's office on behalf of the district.
District officials later hired a computer security company and an outside law firm, and — six months after the breach began — issued a legally required notification to the Illinois Attorney General's Office revealing the personal information of more than 1,139 Illinois residents could have been compromised.
"The investigation did not determine whether the unauthorized individual viewed or acquired any contents in the accounts," wrote attorney David Kitchen, a partner at Baker & Hostetler, on behalf of the district, "however, Evanston [Township High School] was not able to rule out that possibility."
Kitchen said the district would send notification letters and offers of credit monitoring services to people whose identities — including Social Security, driver's license, financial account and payment card numbers, usernames and passwords, and some medical or health insurance information — had been exposed to potential hackers during the beach.
"I can confirm that the district met its legal obligation by mailing letter notifications to any individual (or parent/guardian of a minor) whose information may have been compromised in the email breach," Communications Director Takumi Iseda told Patch in an email.
Evanston Township High School officials paid a fraudulent $48,570 invoice during the early months of the district's more than 13 months of fully remote instruction. (ETHS)
Criminal Probe Remains Pending
The fraudulent invoice was made payable in the name of Serina V. Valdez, of Bakersfield, California. Her connection to the district was not clear, and she could not be reached for comment.
Det. David Cepiel was assigned to the investigation and prepared a request for a court order to identify the owner of the Wells Fargo account where the money was sent. He submitted a request for a grand jury subpoena to the Cook County State's Attorney's Office on June 12, 2020, but it took nearly a year of processing before the detective could submit it to the bank.
On Sept. 18, 2021, in response to the court order, Wells Fargo provided documents about the bank account, according to Cepiel. They showed that $40,500 was withdrawn from the account in a pair of in-person transactions shortly after the wire transfer went through.
"In addition, the vast majority of transactions on this account occurred in California," Cepiel reported.
A short time later, the criminal investigation into the fraudulent invoice was taken over by police in Bakersfield, California.
Bakersfield Police Department Sgt. Robert Pair this month confirmed an "open and active" fraud investigation had been forwarded by Evanston police, but no arrests had been made.
How Did It Happen?
Evanston Patch sent questions about how the fraudulent spending managed to make it past the district's vendor approval procedures to district spokespeople but did not receive a response Monday. According to the district's website, the accounts payable office is supposed to audit invoices before they are paid.
"After approval from the originating department invoices are electronically forwarded to the accounts payable office, where they are audited before being processed for payment," the website said. Vendors are also supposed to submit a "new vendor form."
But the "Vendor No." on the invoice was redacted by district officials, who described it as "private information" exempt from disclosure. Patch requested any associated vendor approval form but has yet to receive it.
The invoice was never listed in the bills lists included in last year's ETHS school board agendas, but it was included on the district's annual statement of affairs for the fiscal year that ended last summer. By law, such statements must disclose all contracts over $25,000.
According to district officials, ETHS's insurance provider covered the loss, other than its $2,500 deductible.
Records show Rodino, who reported the incident to police, recently put in notice that she plans to retire next year after nearly 16 years with the district.
What Was Role Of Human Resources?
District spokespeople did not respond to a question about whether either the email breach or the fraudulent invoice was connected to the paid administrative leave of the district's two top human resources officials, including the district's second-highest-paid employee, which began without explanation in early October.
District officials have also not responded to questions regarding whether the handling of an investigation into complaints about color guard and marching band coach Lorenzo Medrano was was related to Toya Campbell, chief human resources officer, and Yolanda Hardy, assistant chief human resources officer, being placed on paid leave.
Earlier this year, Campbell and Hardy cleared Medrano of wrongdoing in response to allegations of impropriety by female students. But in mid-September, Medrano was arrested and charged with child seduction in La Porte County, Indiana. Campbell suspended him the following day, pending the outcome of the police investigation in Northwest Indiana.
On Nov. 8, after the student representative on the school board said administrators and elected board members were "sending the complete opposite message than what we stand to be" with their handling of the matter, Board President Pat Savage-Williams promised the district would respond.
Patch asked Savage-Williams when the board would issue such a response and whether either administrators or board members planned to address the human resources officials' paid administrative leave. As of three weeks later, she had not responded, and the board had issued no response.
Records reveal 10 Evanston Township High School staff email accounts were compromised last year in a monthslong breach.
Jonah Meadows's profile picture
Jonah Meadows,
Patch Staff
Verified Patch Staff Badge
Posted Mon, Nov 29, 2021 at 6:32 pm CT
|
Updated Mon, Nov 29, 2021 at 6:54 pm CT
Replies (12)
The ETHS alumni office paid a fraudulent invoice for more than $48,000 after staff accounts were compromised last year, prompting questions about financial safeguards at the one-school district.
The ETHS alumni office paid a fraudulent invoice for more than $48,000 after staff accounts were compromised last year, prompting questions about financial safeguards at the one-school district. (District 202)
EVANSTON, IL — Evanston Township High School officials got scammed out of more than $48,000 during a monthslong data breach that also exposed the personal information of more than 1,100 Illinois residents, Patch has learned.
The fraudulent payment was reported to Evanston police, and the data breach was disclosed to the Illinois Attorney General's Office, as is required by law, according to police and school district records obtained by Evanston Patch via public records requests.
Neither the fraud nor the data breach had been made public, until now.
ETHS District 202 representatives have so far declined to answer questions about whether the district's spending safeguards were followed — or whether the incident is connected with the ongoing unexplained paid administrative leave of the district's top two human resources officials.
$48,570 Fraud Reported
District officials reported the payment of a fake vendor's invoice to police on June 5, 2020, according to police reports.
Find out what's happening in Evanston with free, real-time updates from Patch.
Your email address
Let's go!
That afternoon, ETHS Chief Financial Officer Mary Rodino called police to report that someone had "hacked" the email address of David Futransky, the district's executive director of alumni relations and senior director of institutional advancement.
Futransky's email account sent an invoice dated April 13, 2020 — requesting a $48,570 payment as a "professional fee" for a "Detailed analysis of current situation and development for Evanston Township High School" — to Development Specialist Karen Jones, who works under Futransky in the district's alumni department.
The invoice was received on May 22, paid on May 29, and discovered to be fraudulent on June 4, 2020, according to the Evanston police report of Rodino's account.
The purported purpose of the fraudulent payment was "alumni development services," officer Radoslaw Mazur reported.
"The invoice was paid out and did not raise any red flags because ETHS employees work remotely," Mazur said. "Rodino stated that the Information Technology Department at ETHS confirmed the hack."
Wider Breach Discovered
An internal district investigation found that 10 email accounts were accessed without authorization between March 17, 2020, and June 14, 2020, according to a legally required data breach notification sent to the attorney general's office on behalf of the district.
District officials later hired a computer security company and an outside law firm, and — six months after the breach began — issued a legally required notification to the Illinois Attorney General's Office revealing the personal information of more than 1,139 Illinois residents could have been compromised.
"The investigation did not determine whether the unauthorized individual viewed or acquired any contents in the accounts," wrote attorney David Kitchen, a partner at Baker & Hostetler, on behalf of the district, "however, Evanston [Township High School] was not able to rule out that possibility."
Kitchen said the district would send notification letters and offers of credit monitoring services to people whose identities — including Social Security, driver's license, financial account and payment card numbers, usernames and passwords, and some medical or health insurance information — had been exposed to potential hackers during the beach.
"I can confirm that the district met its legal obligation by mailing letter notifications to any individual (or parent/guardian of a minor) whose information may have been compromised in the email breach," Communications Director Takumi Iseda told Patch in an email.
Evanston Township High School officials paid a fraudulent $48,570 invoice during the early months of the district's more than 13 months of fully remote instruction. (ETHS)
Criminal Probe Remains Pending
The fraudulent invoice was made payable in the name of Serina V. Valdez, of Bakersfield, California. Her connection to the district was not clear, and she could not be reached for comment.
Det. David Cepiel was assigned to the investigation and prepared a request for a court order to identify the owner of the Wells Fargo account where the money was sent. He submitted a request for a grand jury subpoena to the Cook County State's Attorney's Office on June 12, 2020, but it took nearly a year of processing before the detective could submit it to the bank.
On Sept. 18, 2021, in response to the court order, Wells Fargo provided documents about the bank account, according to Cepiel. They showed that $40,500 was withdrawn from the account in a pair of in-person transactions shortly after the wire transfer went through.
"In addition, the vast majority of transactions on this account occurred in California," Cepiel reported.
A short time later, the criminal investigation into the fraudulent invoice was taken over by police in Bakersfield, California.
Bakersfield Police Department Sgt. Robert Pair this month confirmed an "open and active" fraud investigation had been forwarded by Evanston police, but no arrests had been made.
How Did It Happen?
Evanston Patch sent questions about how the fraudulent spending managed to make it past the district's vendor approval procedures to district spokespeople but did not receive a response Monday. According to the district's website, the accounts payable office is supposed to audit invoices before they are paid.
"After approval from the originating department invoices are electronically forwarded to the accounts payable office, where they are audited before being processed for payment," the website said. Vendors are also supposed to submit a "new vendor form."
But the "Vendor No." on the invoice was redacted by district officials, who described it as "private information" exempt from disclosure. Patch requested any associated vendor approval form but has yet to receive it.
The invoice was never listed in the bills lists included in last year's ETHS school board agendas, but it was included on the district's annual statement of affairs for the fiscal year that ended last summer. By law, such statements must disclose all contracts over $25,000.
According to district officials, ETHS's insurance provider covered the loss, other than its $2,500 deductible.
Records show Rodino, who reported the incident to police, recently put in notice that she plans to retire next year after nearly 16 years with the district.
What Was Role Of Human Resources?
District spokespeople did not respond to a question about whether either the email breach or the fraudulent invoice was connected to the paid administrative leave of the district's two top human resources officials, including the district's second-highest-paid employee, which began without explanation in early October.
District officials have also not responded to questions regarding whether the handling of an investigation into complaints about color guard and marching band coach Lorenzo Medrano was was related to Toya Campbell, chief human resources officer, and Yolanda Hardy, assistant chief human resources officer, being placed on paid leave.
Earlier this year, Campbell and Hardy cleared Medrano of wrongdoing in response to allegations of impropriety by female students. But in mid-September, Medrano was arrested and charged with child seduction in La Porte County, Indiana. Campbell suspended him the following day, pending the outcome of the police investigation in Northwest Indiana.
On Nov. 8, after the student representative on the school board said administrators and elected board members were "sending the complete opposite message than what we stand to be" with their handling of the matter, Board President Pat Savage-Williams promised the district would respond.
Patch asked Savage-Williams when the board would issue such a response and whether either administrators or board members planned to address the human resources officials' paid administrative leave. As of three weeks later, she had not responded, and the board had issued no response.
