'Highly skilled and organised' cyber criminals stole £1.1m from Luton Borough Council account
The funds were intended for a new school block
An inquiry by the National Investigation Service (NATIS) has established that a cybercrime group targeted Luton Borough Council in 2020 and stole £1.1 million intended for a local school.
According to NATIS, this gang was involved in money laundering activities and targeted both South East Midlands Local Enterprise Partnership (SEMLEP) and Luton Borough Council with a serious fraud.
The investigation was launched after a SEMLEP Local Growth Fund grant of £1.1 million went missing in 2020.
The money was being held by Luton Council and was intended to assist in funding a new school block at Mark Rutherford School in Bedford.
The Luton Borough Council serves as the accountable body for SEMLEP.
According to the NATIS report, hackers gained access to a SEMLEP employee's user account, and from there, they emailed Luton Council to request new bank information for Mark Rutherford School.
NATIS said that despite detailed investigations and the identification of several probable suspects, it was unable to recover any of the funds. A long term and worldwide inquiry was likely required to recover stolen funds, it added.
NATIS includes members from the government, the police, Thurrock Council and the Crown Prosecution Service, and works to combat organised fraud against the public sector.
The matter was scheduled to be discussed by the scrutiny committee this week.
A paper for the hearing noted that Luton paid the £1.1 million into a bank account it had mistakenly assumed belonged to the Mark Rutherford School, which turned out to belong to criminals.
About a month after the payment was made, Lloyds Bank alerted the council of the scam.
Neither the school nor SEMLEP had raised a complaint about not receiving the money up until that point, so the council was unaware that anything was missing.
The council described the criminals as "highly skilled and organised".
Robin Porter, CEO of Luton Borough Council, welcomed the report, stating that it clarified a lot of the misinformation that had been published during the previous two years.
"I'm pleased the report has been finalised and evidence presented," he said.
"The findings confirm that it wasn't the council's system which was compromised and we're pleased that the investigation clears this up.
"However, this crime shows how vigilant all organisations need to be with such nasty and sophisticated cyber-criminal gangs operating around the world."
A number of suggestions were made in the report for the council and SEMLEP to improve their internal procedures.
"As a result of this incident, we've introduced higher levels of risk management to further strengthen our payment policies and ensure extra checks are made when we're sent requests such as change of bank details," Porter said.