Nassau County Investigating, Training In Wake Of Cyber Scam

Nassau County has taken action in the wake of the County Comptroller's Office falling for a scam that cost the county hundreds of thousands of dollars. Republicans in the County Legislature have called for an audit of the comptroller's office, while County Executive Laura Curran signed an executive order today mandating cybersecurity training for county employees.

In October 2019, County Comptroller Jack Schnirman's office fell victim to a phishing scam that resulted in the county paying $710,000 to fraudsters instead of a county contractor. The scammers posed as a vendor who does business with the county and sent an email to the comptroller's office to change the payment method and have the money sent to a new account. The money was later recovered. The public was notified of the scam on Jan. 11.

Republicans on the County Legislature have blasted the comptroller, a Democrat, for a lack of oversight of the county's finances. The comptroller's office didn't discover the fraud — it was instead discovered by a bank employee who saw the unusual activity and froze the money.

At a hearing, Schnirman said that no phone call was made to the vendor to verify the payment changes.

In response to the scam, the Republican majority in the Legislature wants both the state comptroller and the Nassau County Inspector General to audit the county comptroller's office and its practices of handling county finances. The county Inspector General agreed to conduct a review of the county comptroller's security systems and practices.

"My fellow members of the majority delegation to the legislature and I have no confidence that taxpayer funds are being properly handled," said Deputy Presiding Officer Howard Kopel. "We must do everything in our power as legislators to ensure tax dollars are protected."

In addition to the Inspector General's review, County Executive Curran signed an executive order today that will mandate cybersecurity training for all county employees that use a computer as part of their jobs.

The training will instruct employees on how to protect the county's systems from email threats like ransomware, phishing scams and data breaches. All county employees will be required to complete the training by March 31.

Curran said the county is also undertaking a risk assessment of its cybersecurity systems and the computer servers.

“As cybercriminals become savvier, cybercrimes are becoming more and more frequent," Curran said. "We have seen too many incidents in the county and across the country where cyber criminals have held data hostage and I am determined to do everything possible to prevent the county from becoming another victim. This measure will help to protect the county from phishing and cyberattacks by educating our workforce on how to spot and avoid these threats.”

Nassau County is not the only institution to be hit by a cyber attack. Last year, the Rockville Centre School District paid $90,000 in ransom to hackers who were holding the school district's computer files hostage with a virus.