The Water and Power Authority issued a brief statement over the weekend giving a small amount of information on how more than $2 million was apparently stolen from the utility. News of the loss came out last week and was the source of ire at a June 5 Senate committee hearing.
Twice in 2018, WAPA paid invoices that appeared to be from a legitimate vendor, paying out $2.17 million, according to the statement from WAPA, which refers to the scam as a “Business Email Compromise.” The FBI is investigating the thefts.
A Business Email Compromise is a type of scam targeting companies that conduct wire transfers. Corporate or publicly available email accounts of employees that conduct financial transactions or are involved with wire transfer payments are either spoofed or compromised through key-loggers or phishing attacks to carry out fraudulent fund transfers.
Since the incidents, WAPA has provided overall cybersecurity training for its staff as well as training on recognizing phishing emails that can lead to this type of scam and revised its financial control procedures.
“The training is recurring, and we use controlled phishing emails to test our employees ability to determine authentic from bogus emails,” WAPA Executive Director Lawrence Kupfer said in the news release.
“While we can say very little until the federal investigation into the incidents is complete, I thought it prudent, in light of the Senate discussion this week, to reassure the community that while WAPA was victimized by the BEC incidents, we have taken all advisable security measures to ensure an incident of this nature does not recur. Equally as important, WAPA’s networks, customer information, computer systems, or its overall digital infrastructure were not compromised,” Kupfer added.
Efforts to get more information from WAPA spokesperson Jean Greaux on Monday were unsuccessful. Greaux said he was not authorized to say more than what was in the news release.
Among the questions awaiting answers are:
– As money was moved out of an account to another location, can that be traced?
– What vendors did the thieves imitate?
– Are there any leads on who did the scam?
This and other instances of apparent mismanagement have bolstered calls by some senators, Public Service Commission members, the St. Croix Chamber of Commerce, radio hosts and others to punish WAPA by not allowing it to charge enough to pay for the fuel it purchases and not allowing it to increase the base rate to pay for equipment leases, training and maintenance of its facilities.
If WAPA cannot pay for the fuel it burns it will be unable to purchase fuel to burn to generate power.
If WAPA cannot pay for maintenance or upgrades, it will not perform maintenance or upgrades to improve reliability and efficiency.