Share This Article
A phishing attack targeting the Sudbury Public Schools (SPS) in August 2025 resulted in the unauthorized diversion of employee payroll funds. The breach, which compromised the direct deposit accounts of four school employees, was not reported to Town finance officials. It was uncovered by Town of Sudbury officials nearly two months later during a routine bank reconciliation.
The incident began in mid-August when a wave of malicious phishing emails circulated among SPS staff. Over 100 deceptive emails were sent to employees featuring subject lines such as “Signature Required by 8/18/2025” and “Immediate Action Required: District-Wide Compliance Audit Schedule.” The emails directed staff to a fraudulent Form disguised as a mandatory compliance document.
A school payroll specialist interacted with the malicious link, inadvertently granting attackers access to several employees’ Harpers EmployeeForward payroll and associated email accounts and allowing them to intercept multi-factor authentication (MFA) codes.
Once inside the payroll system, the hackers altered the direct deposit routing information for multiple employees. Harpers Payroll automatically generated confirmation emails regarding these changes, which were sent to the SPS payroll specialist. According to Town documents, the specialist approved the fraudulent changes without independently verifying them with the affected staff members. The hackers also intercepted automated alerts intended for the employees, preventing employees from noticing the unauthorized activity.
As a result, a total of $12,825.50 spanning the August 21 and September 4 payroll cycles was deposited directly into a fraudulent account.
When the affected employees reported missing their paychecks in early September, the SPS payroll specialist voided and reissued the checks to ensure the employees were paid. It turned out to be too late to void the previously-issued checks. No SPS official notified the Town of Sudbury’s Finance Department about the cyber incident or the lost funds.
The Town’s Treasurer/Collector uncovered the irregularities in late October 2025 while routinely reconciling the payroll account. Upon realizing that replacement checks had been issued due to a cyber breach, Town officials immediately started an investigation.
Assistant Town Manager and Finance Director Victor Garofalo outlined the severity of the communication breakdown in an October 23 email to school officials, noting:
“This situation raises significant concerns about communication, internal controls, and cybersecurity awareness. The lack of immediate notification to the Town is particularly troubling.”
[Redactions by Sudbury Weekly]
SPS Superintendent Brad Crozier and Director of Business and Human Resources Don Sawyer were asked to comment on the matter. They have not responded as of the time this article was published.
To manage the fallout and prevent future breaches, the Town initiated several emergency protocols, as outlined by the Assistant Town Manager:
Insurance Investigation: The Town filed a cyber insurance claim with MIIA, its insurance firm, which assigned an investigator.
Forensic Audit: Cybersecurity firm Vector3, Inc. and legal counsel Lewis Brisbois were retained to lead a forensic review of the SPS Google accounts.
Financial Impact: The Town holds a cyber liability policy with a $1 million limit and a $7,500 deductible. The Sudbury Public Schools will be responsible for any unrecovered funds and related costs.
Security Overhaul: All online self-service direct deposit changes through the Employee Forward portal have been completely disabled for both Town and School employees.
New Verification Rules: Going forward, any direct deposit updates must be completed in person and independently verified by payroll staff.
With regard to the new verification rules, records indicate that SPS administrators did not notify employees of the policy change until February 4 of this year, months after the Town initiated the investigation and outlined the corrective measures.
