Officials have notified hundreds of employees and residents that their bank account information was compromised last week when hackers broke into city systems and stole more than $400,000 from a city account at Bank of America.
In an alert issued this morning, city administrator Bryan Harrison said all autopay customers should assume that their name, bank account number and routing number was comprised following an intrusion into a city utility billing system.
Among those impacted by the breach are employees participating in Burlington's electronic payroll deposit program and utility customers enrolled in the city's autopay program for sewer and storm drain charges.
The city immediately reviewed the activity and noticed at least three "significant transactions" from its Bank of America account to accounts at the east coast bank. In all, over $400,000 was illegally transferred to business and personal accounts around the country over a two-day period, Harrison said.
The theft could have been much worse because the affected account contained a lot more cash, he said.. "There was much more in that specific account. We don't know if [the hackers] just didn't have the time" to steal more funds.
Investigators are trying to figure out how the intruders gained access to the Bank of America account. The account has been frozen and all of the city's money has been temporarily moved out of Bank of America as a precaution.
Numerous other small town, municipalities and small businesses have been victimized by similar online heists over the past three or four years.
In most incidents, the cybercrooks first stole usernames and passwords used by to gain access to bank accounts. The stolen credentials were then used to log into the online accounts and wire transfer money to mule accounts in the United States and abroad.
The FBI has estimated that U.S. businesses and banks have lost hundreds of millions of dollars due to such thefts in recent years.
The Burlington theft came just days after security firm RSA warned of cybercriminals plotting a massive and concerted campaign to steal money from the online accounts of thousands of consumers at 30 or more major U.S. banks.
In an advisory posted earlier this month, RSA said it had information suggesting that a criminal gang planned to unleash a Trojan program called Gozi Prinimalka that would infiltrate computers belonging to U.S. banking customers and to initiate fraudulent wire transfers from their accounts.
According to RSA, the organizers of the attack are currently recruiting about 100 botmasters to launch and coordinate the attacks.
Since RSA's alert, several other security experts have reported seeing the signs of preparation of an imminent and massive attack against U.S banking customers.
By Jaikumar Vijayan