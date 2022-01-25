When the Town of Peterborough was hit by a $2.3 million cyber fraud last year, state officials in charge of computer security say they were in the dark about it until they read news reports.
A bill that cleared the House Municipal and County Government Committee on Monday would require local governments to report such crimes to the N.H. Department of Information Technology immediately.
The department could help respond to the crimes with state and federal resources, N.H. Chief Information Officer Denis Goulet, the department’s commissioner, told the panel.
Also, such early reporting could prevent other communities from falling victim to the same crime or type of crime.
Another goal of the bill, which passed the committee 19-0, is to protect state systems that are connected to municipal offices, Goulet said.
Cyber fraud against municipalities has been growing exponentially in New Hampshire, as measured by the number of insurance claims filed.
The state did not find out about the email scam against Peterborough until reading a newspaper report on Aug. 24, one day after the town disclosed the crime in a news release, Goulet told The Sentinel Monday.
A timeline prepared by Peterborough officials said the first hint of the fraud came on July 26 when a town vendor, the ConVal Regional School District, said it had not received a $1.2 million payment.
The town discovered on Aug. 18 that July 9 and Aug. 13 payments to Beck & Bellucci, a bridge contractor, had also not been received. Perpetrators of the fraud posed as representatives of the school district and the bridge contractor in emails and directed Peterborough officials to change routing information on electronic payments, the town said.
Goulet said in an interview Monday that his department likes to learn about such cases sooner rather than later.
“Sometimes we find out about things that were important to us in the media; in other words, we read about it and go, ‘Oh I wish I had known that a week ago when it popped or whatever.’ ”
He said that in 2016 an executive order required state agencies to report to him when they had fallen victim to cyber crimes.
There appears to be a reticence to report these issues early when the extent of the problem may not be completely clear, Goulet said.
“Of course, that’s a bad approach because cyber incidents don’t age well,” he said.
The problem can grow in scope, if not quickly addressed.
Based on Peterborough’s timeline, if the town had stopped all electronic vendor payments once the school district payment had gone missing, it could have prevented the loss of one of the payments to the bridge contractor.
Embarrassment can also delay reporting of cyber crime, Goulet said.
“There should be no embarrassment,” he said. “It’s not a situation where somebody is good or bad. It’s a situation where knowing about it can help protect citizen data and keep the government running.”
Meanwhile, there are cases when his department and the public never learn a municipality has been hit by a cyber crime, even though taxpayer money has been stolen.
Mike Ricker, general counsel for the N.H. Public Risk Management Exchange (Primex), said 25 cyber crimes were reported last year among the towns and cities the organization insures, up from 14 in 2020 and four in 2019.
He said he could not provide names of the municipalities involved.
The ATOM Group, a Portsmouth-based computer consulting service that helps towns and cities recover from cyber crimes, is now renting space from Primex in Concord.
“This allows them a more central location from which to deploy on cyber breach incidents involving our local government entity members,” Ricker said.
Peterborough was assisted in the aftermath of its cyber scam by the ATOM Group and the U.S. Secret Service. The federal law enforcement agency recovered about $600,000 of the stolen $2.3 million in taxpayer money. Nobody has been arrested.
Nicole MacStay, Peterborough town administrator, said Tuesday morning that she did not know enough about the bill to comment on it.
House Bill 1277, which now goes to the full House, would take effect 60 days after its passage. The prime sponsor is Peter Somssich, D-Portsmouth.
The Department of Information Technology maintains an around-the-clock ability to respond to governmental reports of incidents that violate cyber security and confidentiality.