(Bloomberg) — Three months after cyber bandits hacked White Lake Township, Michigan, stealing about $30 million during the closing of a municipal-bond offering, the Detroit suburb is returning to the market.
Most Read from Bloomberg
The community of 32,000 plans to sell $29 million of bonds after the cyberattack forced it to cancel a debt issue to finance the construction of a civic center.
On the day of the initial sale’s closing in November, criminals impersonated a township official after gaining access to the municipality’s email, according to an offering document for the upcoming sale. The hackers then directed Robert W. Baird & Co., the investment bank that bought the bonds, to wire the purchase price to an account they set up.
About $21.3 million of the funds have been recovered and returned to Baird, according to the document. The investigation by federal authorities and the White Lake Township Police Department is ongoing.
“This requires a threat actor that has a really good and intimate knowledge of the bond sale process in the US,” said Omid Rahmani, a Fitch Ratings analyst and expert in public-sector cyber risk. “This isn’t just a haphazard shotgun attack against the entity hoping you get something. This is something that has a lot of premeditation. You have to get the timing just right for it to work.”
Rahmani said it was the first time in his almost decade-long career that he remembers a municipality disclosing the hijacking of bond proceeds. It likely won’t be the last, he said.
“The thing about cyber crime is that it’s kind of like when you go exploring a new territory. Once you establish a trail-head, then that becomes a way of travel,” he said. “Once you have proof of concept of attack, then others are going to want to mimic that.”
Township supervisor Rik Kowall and Police Chief Dan Keller didn’t return calls seeking seeking comment. A spokesperson for Baird also didn’t reply to requests for comment.
Threat to Localities
The incident underscores the threat that states and localities face from cyber criminals. Small local governments tend to be understaffed and their information-security employees are often paid less than their private-sector counterparts. Municipalities — stretched by the increasing cost of providing services and paying retiree benefits — also may not have the money to beef up cyber-security investments, leaving them ill-equipped to thwart such attacks.