Online scam reveals a lack of controls

Experts say that the possible theft of $4.1 million in public funds shows problems in public administration systems and that cybercrime continues to accelerate

An online scam targeting the Employees Retirement System (ERS) which may have resulted in losing over $4 million in at least four public corporations will not affect pension payments.

However, this crime is the most recent proof of deficiencies in government systems or of the lack of will and resources to correct them, a problem the Office of the Comptroller (OCPR) has been pointing out for years and which has cost the Treasury millions of dollars.

Similarly, according to anti-fraud expert and certified public accountant Eduardo González Green, this new incident is another setback to the government's credibility regarding its capacity to manage public funds and this, in turn, also affects the island´s credibility to handle federal relief funds Washington has yet to release.

"Hearing this again only makes me angry," Comptroller Yesmin Valdivieso told El Nuevo Día, noting that for over a decade, the OCPR has been detecting deficiencies - that have never been corrected –agencies, public corporations, and municipalities systems including the management of bank accounts.

"There have been cases of agencies where employees have left 10 years ago and can still access their accounts," the official said.

"I'm afraid this is more often than we know in Puerto Rico because people don't want to share it," said González Green, referring to the cyber attack that would have affected the ERS. "And with reputation, one button is enough."

Pensions and money would be safe

In written statements, Public Affairs Secretary Osvaldo Soto García and Employees Retirement System (ERS) Administrator Luis M. Collazo Rodríguez said the situation will not affect ERS pensioners.

Meanwhile, Limary Cruz Rubio, a spokeswoman for the Federal Bureau of Investigation (FBI), indicated that the federal agency managed to "freeze" the money allegedly transferred to a fraudulent account, but did not provide further details on the case.

Cruz Rubio said that they can confirm that the money in the affected accounts was frozen, minimizing the impact on the public Treasury.

Statements by Soto García, Collazo Rodríguez, and the FBI came yesterday, one day after the Puerto Rico Police Department announced the Puerto Rico Industrial Development Company (PRIDCO) filed a complaint reporting the alleged loss of some $2.6 million.

According to the government, there are two other agencies under the umbrella of the Department of Economic Development & Commerce (DDEC) that have also been affected: the Tourism Company - last December - and the Trade and Export Company (CCE). The fourth public corporation that may have reportedly been affected is the Highways and Transportation Authority. In the case of the CCE and the PRHTA, the government did not provide figures.

Yesterday, at 9:00 am, El Nuevo Día asked the police for copies of the complaints that may have been filed but the requested information had not yet been provided by press time.

"Right now, it is the same crime and agency heads are instructed to collaborate in all administrative and criminal investigations being conducted. And there are specialized that have been assigned and hired since the incident was reported," said Soto García and Collazo Rodríguez in written statements, without revealing which entities the government hired to work on the situation.

The Governor, the Board, and federal funds

"This is a scheme. We've seen this in other places. Not only in Puerto Rico. Here, I don't want to go into details because it's part of the investigation,” governor Wanda Vázquez Garced said and added that these people use logos, official emails... they are experts in “hacking into accounts, government agencies. It's all part of the investigation that the FBI is conducting."

"The information we have is that the FBI, with the rapid reaction by the Secretary of Economic Development, was able to track the money and it is very likely that we will recover all of it," she added.

Given this situation and despite the police report placing the scam in mid-January, Vázquez Garced said the government learned of this fraudulent scheme last Monday.

Meanwhile, Resident Commissioner Jenniffer González admitted that the incident is like the same old story Puerto Rico.

"I would like to say no, but such a transfer casts terrible shadows over processes in Puerto Rico and public funds management processes," González said. "It's a big cloud that affects the credibility of the processes,” she added.

"We are aware of the situation, but we cannot comment on an ongoing investigation," said Oversight Board spokesman Edward Zayas, adding that the fiscal body "will continue to monitor the incident."

As news of the cyber-attack spread and was associated with the allocation of federal funds in Puerto Rico, Board director Andrew Biggs said on his Twitter account and as a personal opinion that Puerto Rico's path out of bankruptcy and into prosperity would have been improved with a fiscal board that was closer to the control board in Washington, D.C., with stronger powers.

A silent intruder

According to González Green, it is becoming increasingly evident that cyber pirates have become more sophisticated and are leaving their mark on Puerto Rico.

He said that recently, one of his customers who imports raw material - which requires wire transfer - fell victim to an online scam.

He explained that the cyber pirates broke into the company's accounting system, specifically accounts payable, and managed to replicate an invoice from one of the suppliers that was about to be delivered. The hackers made a phone call and the company's staff - seeing the alleged invoice in their system - understood that it was correct and made the payment.

According to González Green, the payment made by the company reached an account in an important bank on the mainland but was then transferred to a bank account in China, resulting in a loss for the client.

"We still think this only happens in movies," said González Green.

According to this antifraud expert, although what happened at the ERS still has to be determined, his firm recently completed the investigation of the theft of some $4.5 million from another company on the island and the situation was identified because the bank notified the company of an atypical movement in its accounts. The swift reaction prevented the loss, González Green said.

"That red flag is effective in banks, which are very active, and that is good, but it shouldn't happen," González Green said.

In the case of the government, according to González Green, old accounting systems and the fact that systems do not communicate with each other, which would allow a payroll transaction to be reflected in a ledger record, for example, make it more vulnerable to this type of attack.

List of critical deficiencies

However, according to Valdivieso, responding to an e-mail with an instruction to change a bank account at a government agency, a decision that would involve the transfer of millions of dollars, is not so simple.

She explained that, generally, such a decision at a government agency usually comes with a letter or some kind of regulation, communicated to the officials involved and published on the Office of Management and Budget, the ERS or the Treasury websites.

The problem, according to Valdivieso and Ivonne Plumey, OCPR's Director of Computer System Audits, is a reluctance to comply with the guidelines for managing technology, to update the existing guidelines and, in certain cases, the lack of resources.

And the same happens with controls on bank accounts, the officials said.

There are too many examples both in the central government and in public corporations and municipalities: managing official transactions from personal accounts, not limiting the access of a user with specific functions, and even allowing the same employee to perform various financial tasks that require separate controls.

Valdivieso said there have been cases of cyber attacks in municipalities where accounts have been emptied. But since in one of these municipalities account processes were frequent and they moved swiftly with the FBI, the money was recovered.

"What has been done with the guidelines is to virtually change the name and number, without considering that technology changes," Plumey said, referring to the guidelines that the government initially adopted between 2002 and 2004, and which subsequently would have been amended.

Consequences of the cuts

According to Valdivieso, if the cyber attack on the ERS is indeed confirmed, it will also serve to show that IT divisions are in the low priorities list of the government.

"I know the government is trying to save money, but we see that savings are mainly in the payroll," Valdivieso said. "What we see is that those controls are not working. We have audits that indicate that the Information Systems division has five positions and they are vacant."

"They leave the positions vacant, thinking that hiring someone from outside is the same as supervising these types of systems every day," Valdivieso said, stating that during this term, the government never opened the doors to the OCPR to adopt practices that would have avoided many of the administrative problems it faces.

Gloria Ruiz Kuilan, Paola Arroyo, Javier Colón Dávila and Alex Figueroa Cancel collaborated with this story.