A scammer was able to take $15,000 from an East Baton Rouge Parish retirement account, but staff were able to reverse the fraud, a recent audit found.
It's just the latest case of scammers and hackers targeting Louisiana government agencies. Attacks have ranged from a massive breach of the Office of Motor Vehicles that exposed personal information for millions of people to cyberattacks that crippled the computer infrastructure of public universities, all at a mounting cost to taxpayers.
The retirement system incident shows how personal information like a social security number can be used to cause financial harm.
"The OMV breach––that’s gonna be so far reaching," said Diane Allison, director of local government services at the Louisiana Legislative Auditor’s office.
In a report released Monday, the Louisiana Legislative Auditor's office said the City of Baton Rouge and Parish of East Baton Rouge Employees’ Retirement System received a withdrawal request via email for an employee’s Deferred Retirement Option Plan (DROP) account.
The email asked to change the bank account information of the employee and included a social security number, new banking information, a name and address.
The request was processed, but the employee noticed the funds were missing from his regular pension payment and notified CPERS that he had not made a withdrawal request.
Management immediately contacted the bank to reverse the transfer.
“Management is reminded and must ensure that any misappropriation of public funds must be in writing and reported to the parties identified above when they become aware of such matters,” CPERS wrote in its annual financial report.
Law enforcement determined that the employee's information came from the breach of a national firefighters group, not a breach of the the local retirement system.
To ensure something similar doesn’t happen in the future, officials implemented new procedures.
“When accepting banking changes, staff remains required to verify the members identification when the request is made in-person. Secondly, the staff member who makes the manual changes in the system for a request that comes in via fax and/or email is required to confirm with a phone call the changes requested and ensure account numbers are correct," the agency said in its response to the report. "Lastly, staff is required to review and flag any banking institution that is not immediately recognizable, such as non-traditional banks and online only institutions."
The retirement system reported the incident to local law enforcement, but the auditor's report dinged officials for failing to report the breach to its office or to the district attorney, as required by state law.
“We do an audit every single year to look for everything we need to improve upon. That’s the whole point of doing an audit,” said Mark Armstrong, chief communications officer for the city-parish. “That particular case, we reported it to the federal law enforcement and local law enforcement, but what they cited us for was not reporting to the Legislative Auditor’s office or the district attorney. That’s what I understand to be the deficiency there, but we took appropriate actions outside of that.”