Montgomery College’s SHaW Center Recognized Nationally for Its Support of Student Health, Well-being, and Success
The Student Health and Wellness (SHaW) Center for Success, which provides physical and mental health resources…
In September of 2019, Montgomery College (MC) was the victim of a targeted cybersecurity attack from entities outside the College. The intrusion, classified as cyber fraud, allowed funds to be stolen and placed in a fraudulent bank account. In a memorandum issued this morning to MC employees, students, and constituents, College officials outlined the total loss of the crime, additional details of the crime, the independent financial auditor’s findings, and several of the additional control measures the College has taken to ensure attacks like this are dealt with accordingly.
The financial audit for the fiscal year 2020, which ended June 30, has now been closed. Clifton Larson Allen (CLA), the certified public accounting firm hired to perform our annual financial statement audits, issued its opinion September 30, 2020.
The original amount of loss was $2.8 million—an amount that was invoiced by a legitimate vendor. Appropriate controls were adhered to by MC’s staff in multiple departments to verify the legitimacy of the invoicing. However, criminals manipulated a process that allowed the diversion of payments to a fraudulent bank account.
Because the College acted quickly, $1.1 million—39 percent of the loss—has been recovered. The College has worked diligently with law enforcement agencies and its bank to pursue the perpetrators and restore the funds. The College immediately took action after the incident, completing a thorough internal investigation and working tirelessly with the FBI, banking partners, accreditors, and Montgomery County’s inspector general. The College communicated the fraud incident to both the internal College community and to local media.
Several new internal controls were put in place immediately following the incident, including fraud awareness training, which was delivered to almost 300 employees at the College over three months. The College’s cybersecurity training, which also strengthens employee vigilance around attempted intrusions, has been taken by more than 2,000 employees in the last 13 months. The College continues to provide trainings that strengthen employees’ skills at fraud detection in an effort to protect the institution from future attacks. In addition, the College hired a separate accounting firm, independent of CLA, to perform an audit of its financial controls as well as an audit of vendors and contracts management. This audit concluded in August 2020 and provided additional recommendations for financial controls and vendor management.
The College’s net loss of $1.7 million represents 0.5% of the College’s fiscal year 2020 budget. The financial loss did not and is not preventing the College from continuing standard operations. As of this time, MC has no new information from the FBI related to its criminal investigation. These types of investigations can take several years and are sometimes connected to wider networks of fraudulent activity. There is no evidence that any College employees were involved in the fraud scheme and MC employees remain the most valuable assets in fraud prevention.
Although the College was a victim in this fraud scheme it is taking this opportunity to affirm the longstanding commitment to sound financial practices and to any improved protocols that might grow out of the investigations. The College is still hoping to recover more of the stolen funds through ongoing investigations. Given MC’s strong fiscal stewardship, it is able to manage this loss within the budget and will not ask the county or state to make up for the lost funds.
This experience has been a lesson in the sophistication that criminals have developed around fraudulent incursions and a reminder that Montgomery College and its stakeholders must all remain vigilant.