Baltimore lost $1.5M in business email compromise

A March cyberattack led to more than $1.5 million in identity theft fraud for the City of Baltimore, according to its comptroller’s office.

The city was notified of a cyberattack on Mar. 13 on its accounts payable department by a cybercriminal who used identity theft to gain access to more than $1.5 million in payments intended for a city vendor, Erika McClammy, deputy comptroller for the Maryland capital, told Baltimore TV station WBAL.

“We don’t know yet who actually the bad actor was. Obviously, they probably have several names,” McClammy said. “They were able to bypass Baltimore City’s geofencing. They used [Starlink] IP addresses.”

According to the report, the perpetrator established contact with the city last fall and nurtured a relationship with various city departments by using publicly available information online to adopt the name of a current vendor employee and infiltrate the city’s IT systems.

The infiltration took place around the time the state awarded $1.8 million to fund training at community colleges with the aim of bolstering the state’s cybersecurity talent pipeline.

In February, after months of building a trusted rapport, the cybercriminal changed the vendor’s banking information and cashed one check in February for $803,000. They attempted to cash an additional check in March for $721,000, which the bank flagged as fraud.

“We went into immediate action. We froze the account that we have set up for that vendor so that nothing else could occur,” McClammy told the news station.

Officials at the Maryland Department of Information Technology declined to comment due to the ongoing cybersecurity investigation.