GLD Vacancies

Council and LEP fall victim to sophisticated £1.1m cyber fraud

A report from the National Investigation Service (NATIS) has concluded that South East Midlands Local Enterprise Partnership (SEMLEP) and Luton Council were victims of serious fraud perpetrated by a highly sophisticated international organised crime group, with ties to money laundering and cyber-enabled crime.

That conclusion has come from a report by NATIS into how £1.1m intended for a local school disappeared. NATIS is a body that counters organised fraud against the public sector, and involves Government, the police, the Crown Prosecution Service and Thurrock Council.

SEMLEP had earmarked the £1.1m from its Local Growth Fund in 2020 to Mark Rutherford School. Luton Council acts as SEMLEP’s accountable body.  A SEMLEP employee’s user account was illegally compromised by a criminal entity which then contacted Luton to purportedly advise a change of bank account details for Mark Rutherford School where the payment was due to be made.

NATIS said that despite extensive investigations and identifying several potential suspects, it had been unable to recover any of the funds and a “long term and worldwide” investigation was likely to be needed.

Luton chief executive Robin Porter said: “There has been a lot of mis-information circulating in the media and social media for the last two years about Luton Council’s role in this case, so I am pleased the report has been finalised and evidence presented. The report confirms that it was not the council’s system which was compromised and we are pleased that the report clears this up.

“However, this crime shows how vigilant all organisations need to be with such nasty and sophisticated cyber-criminal gangs operating around the world.”

Mr Porter said Luton had since this incident introduced higher levels of risk management to further strengthen payment policies and ensure additional checks are made when the council is sent requests such as change of bank details.

The matter was due this week to go to a scrutiny committee meeting, a paper for which noted Luton ”paid the £1.1m into a bank account, in good faith, that we genuinely believed to belong to the Mark Rutherford School, which turned out to belong to criminals”.

Lloyds Bank alerted the council to the fraud about one month after the payment was made, it said.

Until then the council was unaware anything was amiss as neither the school nor SEMLEP had complained of having not received the money, although the school’s buddies manager was off sick for most of this time.

It said the earliest identified unauthorised access of the SEMLEP’s employee’s email account was on 4 February 2020 from an IP address to the United Arab Emirates. The locations used changed regularly around the globe, “suggesting a sophisticated breach intended to hide the attacker’s identity”.

The council report said: “There were some opportunities to identify that this was an illegitimate claim to change banking details but given the level of detail and knowledge the perpetrators had, it would be unlikely to have been resolved by the processes in place at the time.”

NATIS and police bodies are continuing to investigate potential suspects.