Their accounts payable department received an email that appeared to be from Imperial Construction, a company that was doing business with the city at the time. The sender of the email, later identified as Gbenga A. Fadipe, requested a change of account.
The scam email prompted the department to change an electronic deposit from Plains Capital Bank to a different account with Chase Bank. Given the convincing nature of the email, the request received approval. The city’s accounts payable department believed that Imperial Construction had simply changed banks.
However, this wasn’t the case. Fadipe had planned the cyberattack to gain access to city accounts. According to the arrest warrant affidavit, he withdrew thousands of dollars between November 2017 and January 2018 from the new account with Chase Bank, severely compromising the cybersecurity of Fort Worth.
City officials responded, claiming that Fort Worth “had been the victim of fraud in late 2017 when, due to human error, a vendor payment was redirected to a bad actor.” As of now, Tarrant County has charged Fadipe with theft of property greater than $300,000, though the true cost of the scam is much higher. The injustice might have ended here, were it not for the events that transpired shortly afterwards.
Fort Worth’s former IT manager, William Birchett, went to officials with concerns over the state of their cybersecurity following the attack. He made several claims, including that the city had left the medical and personal information of their employees accessible to anyone with internet access.
Birchett also brought attention to how the city had lied about its compliance with FBI crime database regulations. He reported his findings and submitted a proposal to Kevin Gunn, the city’s acting chief financial officer. Birchett also went to Roger Wright, the city’s acting chief technology officer.
Instead of moving forward with the changes, city officials fired Birchett in retaliation. They would later fire one of Birchett’s coworkers, Ronald Burke, who had previously supervised him. Both men have since filed whistleblower lawsuits against the city, with representation from attorney Stephen Kennedy.
Burke has also claimed the city retaliated against him for reporting issues with their cybersecurity and compliance with federal regulations. Like Birchett, Burke is seeking more than $1 million from the city of Fort Worth, which is “fully prepared to defend itself,” according to a recent statement from officials.
In response to the allegations from Birchett and Burke, city officials said, “The people who have filed these suits were responsible for managing the very security items that they are now criticizing…” Officials went on to say they resolved the problem with their employee data “immediately,” but this is not the case.
Stephen Kennedy responded to the attempt by city officials to address the controversy, saying, “The City is not being forthright when it claims that it ‘immediately’ resolved issues concerning preservation of the City employees’ medical data information, unless your definition of the word immediate means six months…”
Birchett and Burke have provided additional insight into the city’s negligence. They allege that they repeatedly reported on problems with Fort Worth’s cybersecurity and compliance with federal Criminal Justice Information Services regulations. Despite their efforts, city officials refused to take action.
The behavior of Kevin Gunn, Robert Wright and other Fort Worth officials is indicative of a larger problem than the phishing scam with Imperial Construction. It shows a pattern of irresponsibility and neglect that goes back farther than 2017. Even with access to potential solutions, officials failed to act.
The decision to retaliate against whistleblowers is often counterintuitive. In this instance, the city of Forth Worth was attempting to suppress information, but the firing of Birchett and Burke only brought that information to the surface. Though city officials tried to ignore the flaws in their system, they only intensified.
This speaks to the importance of individuals like William Birchett and Ronald Burke. Without the courage of whistleblowers, an organization with illicit practices can continue to grow. Even if that organization retaliates, whistleblowers have protection under the law and can trust in the justice system to serve its purpose.
As context, OSHA’s Whistleblower Protection Program enforces the provisions in more than twenty whistleblower statutes, protecting employees in the healthcare, airline and food safety industries, among other sectors. In short, those who come forward with information about a company can expect fair treatment.
Gbenga A. Fadipe’s phishing scam revealed far more about the city of Fort Worth than anticipated. What started with a fraudulent email quickly transformed into something else, and now, Birchett and Burke are set to move forward with their individual lawsuits against the city. As the situation unfolds, it will likely have implications outside the state of Texas.
Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com.