The Montana Department of Agriculture lost more than $344,000 to someone posing as a grant recipient in an email phishing attack, according to a new report recently released by the Division legislative audit.
The incident, which occurred in October 2020, was one of two cases reported by a legislative audit team as part of a two-year cycle of reviews for the Legislative Assembly.
The other incident, which happened in April 2020, happened when a Department of Agriculture employee purchased $1,000 in gift cards in response to another email phishing attack. This scam was foiled when the employee became suspicious and informed his supervisor. According to the report, the gift cards were returned for full credit.
However, the state lost $344,271 in the biggest phishing scam. He noted that the ministry was able to stop the first payment to the hackers, but not the second, which resulted in the loss.
The Montana Department of Agriculture accepted the auditors’ findings and agreed to update its financial controls. The department also reported the theft to its chief attorney, the governor’s office, and the Administration Department’s Risk Management and Crime Defense Department, but did not notify state auditors. .
The Legislative Audit Division reported that the incident was assigned to the state insurance company.
“We recommend that the Department of Agriculture comply with state law by notifying the Attorney General and the Legislative Auditor in writing of the discovery of any theft, actual or suspected, involving the money or property of state,” the report recommends.
The report notes that the Department of Agriculture did not notify the Attorney General or the Legislative Auditor of the gift card issues because staff determined it was unnecessary because the theft was ultimately unsuccessful.
Other credit problem
The auditor’s office also uncovered another problem, primarily an accounting problem, but pointed to a possible legislative solution.
The Department’s Agricultural Science Division provides licenses and registrations for pesticides, pesticide applicators and dealers, and specialty pesticide registrations that are processed through a custom registration system, MT Plants.
Auditors found that the system can process and accept payments, often placed in accounts by farmers and ranchers for renewals, permits or registrations. However, when customers have overpaid in the system, the system does not refund the overpayments unless a customer requests it in writing. Also, staff can only tell if there is a credit balance in the “notes” section of the customer profile.
“MT Plants is an older system with limited capabilities. It can track balances due to the service but cannot track balances due to the customer. Due to system limitations, we do not know how many customer accounts have a credit balance and the total of those credit balances,” the auditors’ report states.
The report noted that some staff were reimbursing overpayments, while others wanted a written request.
“It’s not done consistently,” the report said. “Management said staff turnover has caused confusion over internal reimbursement policies.”