BOSTON (WWLP) – A state auditor’s report is recommending that Westfield State University (WSU) create an IT security awareness training program for all employees after the mistaken transfer of $1.75-million to an unauthorized account.
The full audit report can be found here.
The incident occurred in February 2020. Ramon Torrecilha, then WSU president, released a statement at the time saying that the cyber theft was an isolated incident and that no data was compromised. The full amount was recovered when the transaction was detected.
The audit report found that the transfer of $1.75 million by Westfield State University (WSU) to an unauthorized account was due to a failure to follow a basic procedure. Because WSU was not verifying the accuracy of changes to banking and income tax information for its vendors in the state’s accounting system, a WSU employee mistakenly enabled the transaction to take place.
According to the report, employees did not document that they verified the accuracy of change requests for 10 of the 13 vendors that came into service for WSU during the audit period of October 1, 2018 through March 31, 2020. In its response, WSU indicated it was taking steps to address the audit’s concerns surrounding the verification problems.
The investigation revealed WSU did not ensure that employees who had access to its IT systems received security awareness training as required by the Executive Office of Technology Services and Security (EOTSS). The University was conducting periodic training, but attendance from staff was not required. The audit recommends WSU establish a formal IT security awareness training program for all employees.
22News contacted WSU for a response to the report, but has not received a reply.