Somebody — or a lot of somebodies — stole $19 million from the Kern County treasury over the past three to five years.
Who did it?
How did they do it?
The answer to the first question won’t be known for months. Federal Bureau of Investigation agents are currently poring over thousands of fraudulent transactions trying to track down the culprits.
Those investigators aren’t talking about the answer to the second question either.
But interviews with officials from the Kern County Treasurer-Tax Collector’s office, the Kern County Superintendent of Schools office and a new cybercrime-fighter training program at Cal Poly San Luis Obispo offer some clues.
Jon Von Flue, the assistant superintendent who is tasked with overseeing finances at the superintendent of schools office, has gone through all the fraudulent transactions since the breach of the accounts was discovered in early February.
He said he’s convinced most if not all of the pilfering came from outside his organization.
“It’s not somebody inside forging a check,” he said. “It appears to be a cyber-type attack from the outside. This is all cyber stuff.”
Kern County Treasurer-Tax Collector Jordan Kaufman, who first alerted the public to the loss, said the money wasn’t going to individual people.
“The majority of the fraud activity was made (paid) to larger institutions and corporations,” he said.
Early in the investigation, Von Flue said companies like AT&T, department stores and other entities were being paid out of the two clearing accounts that served the KCSOS and the Kern Community College District.
Think credit card fraud on a massive scale.
Someone gets ahold of your credit card — or even just the card number and three-digit verification on the back.
They can then use that card to pay their cellphone bills, buy new clothes or make other payments, whether they are in Los Angeles, Florida, the Middle East or Tahiti.
The only difference here is that the $19 million loss was coming from checking accounts powered by taxpayer funds from 47 school districts, the county superintendent’s office and the regional community college district.
A little history might be in order before we go much further.
On Feb. 7, Kaufman’s office announced that it had detected long-term fraud on clearing accounts — essentially government checking accounts — held in the Kern County treasury on behalf of the KCCD and KCSOS.
After weeks of investigation, he announced that the loss totaled $19 million. The KCCD account lost $16.4 million and the KCSOS account lost $2.6 million. About 30 percent has not yet been recovered.
The money, Kaufman explained, was taken over the past two to three years, though most of the losses were experienced in the past three to five months.
Why wasn’t it caught in all that time?
The superintendent of schools office and KCCD regularly monitored the traffic in and out of their main funds in the county treasury and meticulously documented and funded their legitimate payments to employees and service vendors.
But the losses weren’t in those accounts.
They were in clearing accounts where all the checks they authorized were actually paid.
Over time, the funds that recorded the activity in those accounts built up larger and larger negative balances.
But neither district had access to the transaction-level data on those clearing accounts, at the time of the fraud. The Kern County Auditor-Controller’s office had previously notified both districts, in 2005, that it would no longer be reconciling those accounts.
A quick glance at that data would have revealed that money was being stolen.
But nobody was watching the money.
Over the past couple of years the fact no one was paying attention to those accounts became clear to thieves.
Kaufman said the fraudulent transactions started small and escalated slowly. They exploded “exponentially” in the past several months.
Von Flue said gaining access to the accounts is not that difficult.
The money came from payroll accounts, he said.
“Anybody who got a check has that account information on it,” he said.
It’s not a distant leap from there to criminal use of data.
“It sounds like somebody was probing the system,” said Bruce Burton, the program manager of Cal Poly San Luis Obispo's new California Cyber Training Complex.
The university program, a partnership with the California National Guard, is designed to train law enforcement officials and students to investigate cybercrime and build defenses against cybercriminals.
He said the State of California recorded $200 million in losses from cyberfraud in 2016. And an ongoing effort is being made to find and combat cybercriminals. But it’s challenging work.
“Many of these attacks are launched from foreign countries,” he said. “It’s very difficult to do something to bad guys that are 10,000 miles away.”
Bruce Pixley, an instructor at CCTC and a former Santa Barbara County Sheriff’s Office cybercrime expert who consults with the U.S. Department of Justice, said online thievery is just a new angle for a very old crime.
And thieves are very clever at routing money through the financial network to claim a financial benefit without getting caught.
They encrypt communications, collaborate with other criminals and come up with unique ways to turn access to a lucrative account into cash.
“They’re always looking for ways to keep their distance from something coming back to them,” Pixley said.
Von Flue said names are attached to the fraudulent transactions but that doesn’t mean anything.
“We don’t know what names are real or not,” he said.
He suspects multiple criminals are involved.
Someone found out the accounts were vulnerable and a lot of people exploited it.
“I think of it as ‘somebody breaks a window and everybody jumps through it,’” Von Flue said.
Catching those criminals means long, tedious hours picking through data, hunting down internet protocol numbers, pulling in data through search warrants and following the money through all the twists and turns, Pixley said.
“How did the information get leaked, what’s the vulnerability, what’s the exploit,” he said.
While FBI investigators track down those answers, the superintendent of schools office, the treasurer-tax collector’s office and the Kern Community College District work to get back as much of the lost funds as possible.
The agencies have been trying to get the money back by reversing charges — essentially canceling the payments made using the compromised accounts and returning the money to the county treasury.
Ultimately, it will be those businesses that must shoulder most of the multimillion-dollar bill for the fraud.
So far, Kaufman said Friday, the county and the two districts have recovered $11.8 million of the missing KCCD money and $1.7 million of the Kern County Superintendent of Schools funds.
But nearly $5.6 million remains missing.
Efforts to pull back more money are continuing, Kaufman said.