Citing cybersecurity fears, Worcester will no longer post spending online for public view

WORCESTER — The city will no longer post the tax dollars spent from its checkbook online for all to see, citing concerns about cyberattacks and fraud.

The city’s online vendor check register — which has been offline for more than a year, with a message saying it will return — will not be brought back online, City Manager Eric D. Batista said in response to a query from the Telegram & Gazette.

The register, which allowed the public to see checks written to vendors like insurance companies and infrastructure contractors, and included sortable data like court judgments, is too much of a liability for fraud, Batista said.

“Posting city vendor payments creates significant cybersecurity and privacy concerns,” the manager wrote. “With the mass collection of data globally and increasing cyber risk, there has been a shift toward more privacy orientation and concern around data governance.”

Worcester, when it announced the online register in 2010, hailed the move as a boon for transparency and said it was the first municipality in the state to do so.

In the intervening years, many towns large and small have also posted their information online, and the state, at the behest of lawmakers, posts similar information as well as detailed information about salaries paid to public employees.

A spokesman for the Massachusetts Comptroller’s office did not return an email Friday requesting information about to what extent the state has faced problems with the concerns Batista identified.

It is unclear whether Worcester, New England’s second-largest city, is the first large city in the state to remove its register. Boston, the region’s largest city, still posts such information online.

A spokesperson for the Massachusetts Municipal Association, the private nonprofit that describes itself as the "voice" of the state's municipalities, said Friday it could not immediately comment on the move as it had not “heard much” about a trend of removing financial data for security purposes.

Common Cause Massachusetts, a good-government group, also declined to comment, saying it also wasn’t familiar enough with the topic.

A spokesperson for Batista did not directly answer a statement about whether it could direct the T&G to other cities in the state that have removed such data. Batista in his statement provided a link to a story about a municipal water treatment facility in Pennsylvania that “was hacked due to its use of Israeli components."

“Without careful data management, it would be easy for a foreign adversary to use an Open Checkbook to see if the City should be targeted with a simple vendor search,” Batista wrote. “It would also be easy for a foreign adversary to add the municipality’s infrastructure vendors into a database, allowing them to target an attack when a new vulnerability is identified before remediation can occur.”

Moreover, the manager said, the city has had actual experience with attempted fraud.

“The City has had direct experience where a hacker has researched a vendor’s affiliation with the City, hacked the vendor’s email, and inserted themselves into an existing email chain to attempt to secure funding,” Batista wrote. “In this case, due to ongoing training and cybersecurity protocols, the employee noticed the red flags and reported it.”

The city first took the register offline in late 2020, issuing a press release in January 2021 citing the security concerns and saying a “streamlined” version was now available.

Batista did not say in his statement when the streamlined version was removed. Asked about the system’s removal in April 2023 by the T&G, a city spokesperson did not have a specific timetable for its return.

The section of the city’s website dedicated to the check register has said it would come back online for more than a year following a changeover in a financial management system.

“After consulting with the Departments of Innovation & Technology and Administration & Finance, the municipality made the decision to not reinstate the City website’s vendor check registry following a temporary hold due to the migration to a new cloud-based financial management system,” Batista wrote, adding that posting the information “creates significant cybersecurity and privacy concerns.

“With the mass collection of data globally and increasing cyber risk, there has been a shift toward more privacy orientation and concern around data governance.”

Batista said concerns include data being “easily scraped” from the website, given rises in spear phishing and the use of AI to “consume government data."

“It creates a situation where it’s easy for bad actors to get insight into sensitive areas (such as general technologies, cyber-security tools, infrastructure investment and status, and emergency response situations) from a cyber and public safety perspective.

“There is also the potential for groups, including foreign adversaries, to use the information to imitate a vendor to gain organizational information or attempt to extort funds.”

The T&G has used the system in the past to monitor city spending, court judgments and other financial information.

Tom Matthews, a city spokesman, said the data is still public and can be accessed by requesting it from the city, which has an online portal for public records requests.

Matthews, in response to a recent request for financial data regarding whether city police had used a controversial police training group, provided a response to the T&G the following day.

The T&G reached out to city councilors via email Friday morning to ask for their perspective on the city’s decision to remove the register and whether they were consulted.

Mayor Joseph M. Petty, in a telephone call shortly afterward, said he planned to file a request with Batista for more information, which he did that afternoon.

“Request City Manager provide City Council with a report concerning why the city’s online vendor check register is no longer available on the city’s website,” Petty wrote in the request, according to the council’s agenda for Tuesday.

This article originally appeared on Telegram & Gazette: Worcester to remove online check register from public view

Citing cybersecurity fears, Worcester will no longer post spending online for public view

In Other News

Travis Kelce attends Taylor Swift's Paris show, sings along to 'So High School'

Actor Steve Buscemi punched in the face while walking in New York City

AI spending is on the rise. Here are the 10 most popular companies people are using

A Chinese criminal ring has stolen $50 million by franchising thousands of fake onlin…

This is the best-tasting frozen pizza on the market

8 of our editors' favorite summer recipes

Will we see the northern lights again Sunday? Here's the forecast

From Michelle Obama to Kris Jenner: How the stars celebrated Mother’s Day 2024

Brad Keselowski wins at Darlington Raceway, ending his 3-year NASCAR win drought

NBA playoffs: Pacers crush Knicks, 121–89, in Game 4 Mother's Day massacre

Spectacular photos show the northern lights around the world

See stunning northern lights photos: The celestial sight dazzled again on Saturday