The Massachusetts Clean Energy Center lost almost $94,000 to a phishing scam last year, and most of the money was never recovered.
On Jan. 9, 2017, MassCEC responded to a phishing email and wired $93,679 in taxpayer money into the bank account of a scammer. It took the agency a month to figure out what had happened. And another seven months to report it to its own board of directors on Sept. 15.
According to a government audit of MassCEC, “MassCEC did not have written policies and procedures in place to promptly notify the board of directors of incidents or actions such as thefts or breaches of information security controls within a specific time frame.”
When the board of directors was finally notified, the agency contacted Boston Police and the office of Massachusetts Attorney General Maura Healey. The FBI was not contacted, and no formal criminal complaint was filed. The same government audit found that “MassCEC did not prevent or properly report the theft of $93,679 in public funds.”
Authorities were able to recover less than one-third of the missing money, but the cyber criminals managed to get away clean with $68,418. State Auditor Suzanne Bump said that if the crime had been promptly reported to the proper authorities, “it may have been possible to recover additional funds and pursue prosecution.” Instead, Bump said that the “funds that were stolen will likely never be recovered.”
MassCEC was created under the Green Jobs Act of 2008. According to its website, MassSEC is “dedicated to accelerating the success of clean energy technologies, companies and projects in the Commonwealth—while creating high-quality jobs and long-term economic growth for the people of Massachusetts.”
The agency is funded by a tax on municipal electric departments, which adds up to roughly 30 cents per taxpayer.
What has the agency said?
MassCEC spokesperson Craig Gilvarg released a statement that said:
The Massachusetts Clean Energy Center takes seriously its responsibility as a steward of public funds and, upon discovering a fraudulent wire transfer in February 2017, immediately engaged in a comprehensive internal review and implemented a number of new processes designed to identify fraudulent activity and prevent theft.