A local enterprise partnership tried to lay the blame over a £1.1m fraud on Luton Borough Council, a meeting heard.
An organised and sophisticated crime group, with ties to money laundering and cyber-enabled crime, was responsible for stealing the £1.1m regeneration funding intended for a Bedfordshire school.
A user account of a South East Midlands Local Enterprise Partnership (SEMLEP) employee was illegally compromised by criminals, according to a report from the National Investigation Service (NATIS).
The money was due for payment in one instalment to Mark Rutherford School in Bedford for a teaching block project and lecture hall for science, technology, engineering and mathematics (STEM) provision.
Liberal Democrat Wigmore councillor Alan Skepelhorn told LBC’s scrutiny finance review group: “The more we do things digitally and electronically, the more security minded we need to be.
“SEMLEP tried to lay the blame on the council for its own shortcomings,” he said. “This isn’t really a great advert for the organisation.
“The first time it thinks about annual cyber security training is after it has £1m nicked by people we’ll never find.
“It highlights certain practices within both SEMLEP and the council probably weren’t as robust as they needed to be.”
LBC’s director of finance, revenues and benefits Dev Gopal said: “The money was paid in good faith. We thought the account was the school’s and it turned out to belong to the criminals.
“There was no liability to LBC for the money. We agreed with SEMLEP and the money was paid from one of its growth funds.”
“A first email came from a compromised SEMLEP address, with the next two from @sernlep. It looked absolutely genuine.
“The case isn’t closed. If there’s any extra evidence, it’s always on their (NATIS) radar.”
An email from a SEMLEP account was sent to the council in March 2020 with a request to change the supplier bank account for the school, said a report to councillors.
“It asked whether this change can be applied before the scheduled payment due the following day.”
The offenders deceived a council officer to alter the details and the £1.1m payment was sent from LBC to the newly registered compromised bank account.
“The ‘mule’ account used to receive the fraudulent payment was soon emptied and dissipated to a further ten accounts, including some located overseas, outside the UK jurisdiction,” added the report.
“There’s no reason to believe the council’s systems were compromised, leading to the misappropriation.
“In June 2020, the SEMLEP board agreed using growing places fund to underwrite the loss and pay a £1.1m grant to the school.
“The earliest identified unauthorised access of the SEMLEP employee’s email account was on February 4th, 2020 from an IP address to the United Arab Emirates.
“The locations change regularly around the globe, suggesting a sophisticated breach intended to hide the attacker’s identity.
“The investigation hasn’t been completed, as suspects are outstanding. But there’s little more that can be achieved.
“New bank account mandate systems have been agreed with SEMLEP for grant payments, so there’s now person-to-person contact.”
Get daily FREE news here:
https://www.bedsbulletin.com/bulletin/sign-up/
