COLUMBUS — Cleveland Public Library transferred nearly $400,000 to a fictitious vendor after failing to adopt proper internal controls to detect payment redirect schemes, according to a financial audit made public Tuesday by Auditor of State Keith Faber’s office.
The incident, which took place in June 2024, was detailed in a management letter as part of an audit of the library’s finances from Jan. 1, 2024, through Dec. 31, 2024.
Auditors said the library changed bank payment information after receiving a request from someone pretending to be a legitimate vendor. A payment of $396,405 was eventually submitted to the fictitious account, the management letter stated.
Once discovered, auditors noted that the library’s finance department “immediately notified the appropriate parties,” and “followed the appropriate steps and was eventually made whole.”
The Cleveland Public Library was able to recover the entire lost amount through:
$350,000 payment from its insurance company
$46,405.14 that was forgiven by the legitimate vendor
$133,840.50 that recovered from the fraudulent bank account and then repaid to the insurance company
Auditors noted in the letter that the library did not have a proper internal control process in place to detect fictious vendors. They also wrote that the library immediately implemented multiple vendor verification measures to prevent future business email compromise schemes.
In addition to implementing vendor verification measures, library managers required staff to take the state’s free cybersecurity training for local government entities called the Ohio Persistent Cyber Improvement, according to a Cleveland Public Library spokesperson.
“The responsible stewardship of public investment is a top priority for the Cleveland Public Library (CPL),” the spokesperson said in an email. “In an unfortunate incident involving a vendor whose email was hacked, Cleveland Public Library was the victim of a redirect scam in June 2024. No CPL technology was compromised in this attack. The Library took immediate steps to recover the loss and to implement multiple vendor verification measures to prevent future potential compromise.”
