GALVESTON, Texas – Six months after Galveston County was duped out of more than $500,000, County Judge Mark Henry called for the resignations of the county auditor and the county purchasing agent.
As KPRC reported in June, the county was conned into sending the money to the thief’s bank account instead of sending the funds to a legitimate vendor.
“It's been six months. No one has been held accountable. There's been nothing but finger-pointing and shoulder-shrugging,” said Henry.
The money was supposed to be paid to a League City company for a road construction project relating to Hurricane Ike.
“They want to talk about what's been done to keep it from happening again. Well, it shouldn't have happened in the first place,” said Henry.
Henry said someone created bogus email accounts to convince a county employee they were communicating with the company and vice versa. The thief then sent a change of payment form to the county treasurer's office to have the money sent electronically instead of by check. Henry said the contractor had always been paid by check. What happened is something known as a “man-in-the-middle attack.”
The payment process then moved through the purchasing and auditor's offices.
“That money is gone. They tracked (it), I think, to Dubai and Nigeria and, past that, they don't know,” said Henry.
County Purchasing Agent Rufus Crowder said he is not resigning.
“I think it’s ludicrous,” said Crowder.
Crowder said the county was hit by a sophisticated thief and no one in his office was lax. He said that, when the change of payment hit his office, it was believed it had already been verified by the treasurer’s office.
“Trying to fire somebody over something that wasn't intentional and nobody is directly to blame,” said Crowder.
The county did hire an outside company to investigate what happened. A report issued by Lubbock-based Dawson Forensic Group noted, “A department or individual cannot be held accountable for noncompliance with processes that may not have been properly designed or that did not exist.”
The company’s report also noted “a lack of understanding/training as to recognition of these types of attacks, a lack of vendor information establishment/change validation processes and a lack of understanding as to which office/department had the responsibility for validation of vendor information.”
The company’s report also said a purchasing department employee thought the treasurer’s office had validated the change request, while a treasurer’s office employee believed that was the responsibility of the purchasing office.
“This misunderstanding/lack of understanding contributed to the accomplishment of the attack,” the report says.
The report praises the departments for fully investigating the problem and making necessary changes. The company noted the investigation and changes made led to a reduction in the fee associated with compiling the report.
Crowder said one of the biggest changes was that his office would take all responsibility for verifying a change in vendor payment information.
“Since we own the vendor database for the county, I want to take that over,” said Crowder.
While Henry called for resignations, the county judge has no authority over the auditor and purchasing agent. These positions are appointed and overseen by independent boards. KPRC contacted the members of these boards, but has not yet received a response.
The county auditor told KPRC he is not resigning and believes his office did nothing wrong. He deferred further comments to the board that oversees his office.
Henry said the county is trying to recoup the funds by filing claims with the bonding companies for the purchasing agent and auditor. These companies, however, would have to determine these offices were at fault before settling a claim, said Henry.
Henry said the county’s legal department has also been asked to determine whether a claim can be filed with the county’s crime and fraud insurance policy.