WORCESTER — The city will no longer post tax payments from its checkbook for anyone to see online, citing concerns about cyberattacks and fraud.
In response to questions from the Telegram Gazette, the city's online merchant check registry, which has been offline for more than a year, has no intention of coming back online, despite messages saying it will be back, the city manager said. said Eric D. Batista.
Bautista said the registry allows the public to view checks drawn on vendors such as insurance companies and infrastructure contractors, and also includes categorizable data such as court decisions, which helps identify fraud. He said it was too much responsibility.
“Posting payments to City vendors raises serious cybersecurity and privacy concerns,” the managers wrote. “As more data is collected around the world and cyber risks increase, there is a growing focus on privacy and growing concerns about data governance.”
When Worcester announced online registration in 2010, it welcomed the move as a benefit of transparency and said it was the first municipality in the state to do so.
During this time, many towns large and small have posted information online, and states, at the behest of their lawmakers, have also posted similar information and detailed information on salaries paid to public employees.
A spokeswoman for the Massachusetts Comptroller's Office did not return an email Friday seeking information about the extent of the problem the state faces regarding the concerns raised by Batista.
It is unclear whether Worcester, New England's second-largest city, will become the first large city in the state to be deregistered. Boston, the region's largest city, still posts such information online.
A spokesperson for the Massachusetts Association of Municipalities, a private nonprofit that bills itself as a “voice” for Massachusetts municipalities, said Friday that the move was “not something we're hearing much about” about the trend of deleting Massachusetts municipal financial data. said he could not comment. Security purposes.
Common Cause Massachusetts, a good government organization, also declined to comment, saying it did not know enough about the topic.
A spokesperson for Mr. Batista did not directly respond to a statement about whether T&G could direct other cities in the state to remove such data. In his statement, Batista provided a link to an article about a municipal water treatment facility in Pennsylvania that was “hacked due to the use of Israeli components.”
“Without careful data management, it would be easy for a foreign adversary to use the open checkbook to see if a city should be targeted with a simple vendor search,” Batista wrote. . “It would also be easier for foreign adversaries to add municipal infrastructure vendors to their databases, allowing them to target new vulnerabilities as they are discovered before remediation takes place. ”
Additionally, the administrator said the city has actual experience with attempted fraud.
“The City has first-hand experience with hackers investigating vendors' relationships with the City, hacking vendors' emails, and infiltrating existing email chains in an effort to secure funding,” Batista wrote. Ta. “In this case, through ongoing training and cybersecurity protocols, our employees noticed and reported the red flags.”
The city first took the register offline in late 2020, issuing a press release in January 2021 noting security concerns and saying a “streamlined” version was now available.
In his statement, Batista did not say when the streamlined version was removed. When asked by T&G about the system being phased out in April 2023, a city spokesperson did not provide a specific timeline for its return.
The check register section of the city's website says it will be more than a year before the check register comes back online due to changes to the financial management system.
“After consultation with the Department of Innovation and Technology and the Department of Government and Finance, the City has made the decision not to reinstate the Vendor Check Registry on the City's website, which had been put on hold due to the transition to a new cloud-based financial management system.” Batista wrote. He added that posting the information “raises serious cybersecurity and privacy concerns.”
“As more data is collected around the world and cyber risks increase, there is a growing focus on privacy and growing concerns about data governance.”
Batista said he was concerned that data could be “easily harvested” from websites, given the rise in spear phishing and the use of AI to “consume government data.”
“From a cyber and public safety perspective, this creates a situation where malicious actors can easily gain insight into sensitive areas, such as common technologies, cybersecurity tools, infrastructure investments and status, and emergency response status.
“Groups, including foreign adversaries, could also use that information to imitate the vendor and obtain organizational information or attempt to extort funds.”
T&G has used the system in the past to monitor city spending, court decisions and other financial information.
City spokesman Tom Matthews said the data is still publicly available and can be accessed by requesting it from the city, which has an online portal for public records requests.
Matthews provided a response to T&G the next day in response to a recent request for financial data about whether the city's police department used the controversial police training group.
T&G contacted councilors via email Friday morning asking for their thoughts on the city's decision to remove the register and whether they had been consulted.
Mayor Joseph M. Petty said in a subsequent phone call that he planned to request more information from Mr. Batista, which he did that afternoon.
According to Tuesday's City Council agenda, Petty wrote in a request that “the City Administrator provide the City Council with a report on why the City's Online Seller Check Registry is no longer available on the City's website. I request it,” he wrote.