States have been slashing funding allocations and contemplating tax increases as a means of balancing their budgets, which makes a recent revelation concerning the state of Utah's treasury all the more embarassing. According to investigators, state officials recently uncovered evidence that some $2.5 million had been transferred from the state's coffers into various holding accounts. The scheme is thought to have originated in Africa, possibly in Nigeria, but is not the same sort of attack that's typically referenced when a person or article refers to a "Nigerian scam."

According to the Salt Lake Tribune, the chain of events leading to the theft were set in motion when one of the would-be thieves (or an associate) acquired a vendor number for the University of Utah's design and construction department. That information allowed the miscreants to forge documents, changing the bank account information for the account in question. Once the account was under new management, the criminals invoiced the state of Utah for various imaginary repairs and/or expenses with instructions to deposit the cash into the hacked account (a Bank of America account in Texas).

The state paid out $2.5 million before the bank finally started making inquiries as to why the account was seeing such a large amount of traffic. Of the $2.5 million transferred, the receiving bank was able to freeze about $1.8 million; the net loss at this point is around $700K.

There is no simple trail back to the perpetrators themselves; the thieves obscured their own records by providing false identifications and addresses. The Texas account at Bank of America was reportedly opened by a man with a Minnesota license, and other individuals mentioned in the warrant are also from that state. The involvement and guilt, if any, of these individuals has yet to be determined, and it may be that the individuals in question were hooked through what would have appeared to be a standard "419 scheme" on their end.

Existing security measures at both the University of Utah and within the Utah state government obviously failed, but identifying exactly where the failure points were seems more important than pointing fingers at this stage of the investigation. Was the vendor number leak the result of spyware infestation, poor security, or a failure on the part of the university to recognize how vendor numbers could be used for illicit purposes? In this case, it's particularly important to determine whether the thieves essentially got lucky by infecting a random system with unusually valuable information, or if someone involved in the theft was operating on insider information.

Given that Utah is one of many states facing a massive budget shortfall, losing money to scammers doesn't look particularly competent, but once the particulars are known, the hole should be easy to plug. I suspect this was a one-off operation rather than the sign of a new wave of attacks, as it employed a degree of sophistication we just don't see in the bombardment of Nigerian scam e-mails that come pouring in, typed in capital letters.

That's cold comfort for the state employees who are about to come under a bright light, but the other 49 probably hopefully don't have a much to be concerned about.