According to the Office of the Inspector General’s report, cybercriminals manipulated Baltimore’s electronic Workday system by gaining access to a vendor’s account. Once inside, the attackers altered bank account details associated with the vendor and redirected two large payments to their own accounts.
The stolen amounts included:
- $803,384.44 (≈ ₹6.67 crore) in one transaction.
- $721,236.60 (≈ ₹5.99 crore) in another.
The city only detected the theft after a bank raised questions about the legitimacy of one of the payments. By then, the funds had already been diverted.
Inspector General Isabel Cumming explained that the hackers showed sophistication:
“They had enough knowledge to change one thing and after they changed one thing, they waited and reached out and changed the second part.”
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Weak Verification and Delayed Response
The report pointed to human error and weak verification protocols as major enablers of the heist. The city’s Accounts Payable Director acknowledged that the safeguards for verifying supplier accounts were insufficient.
Adding to the delay, outdated contact information for the Baltimore Police Department’s Cybercrime Unit meant it took nearly a week for law enforcement to be notified after the theft was discovered.
Cumming emphasized the importance of timely action in cybercrime response: “Time is of the essence… Sometimes we need to be old school — trust but verify.”
Financial Impact and Recovery Efforts
As of now, Baltimore has not been able to recover more than half of the stolen funds. Roughly $800,000 (≈ ₹6.64 crore) remains missing, raising concerns about the effectiveness of the city’s recovery strategy.
The Inspector General’s office has launched an active investigation, and law enforcement agencies are pursuing leads. The incident has forced the city to introduce additional safeguards in its financial systems to prevent future fraud attempts.
Broader Implications for Municipal Cybersecurity
This breach highlights the growing risk cities face from business email compromise (BEC) and vendor fraud schemes, where attackers exploit gaps in electronic payment and vendor management systems.
Key lessons from the Baltimore incident include:
- The critical need for robust vendor verification procedures.
- Ensuring up-to-date contacts with cybercrime authorities.
- Implementing multi-factor authentication (MFA) and layered security in ERP/Workday systems.
- Regular cyber awareness training for financial staff handling payments.
For Baltimore, the heist represents not just a financial setback but also a wake-up call to strengthen defenses against increasingly sophisticated cybercriminal tactics targeting municipal governments.