Hackers Scam Millions from Company Managing Battery Park City Condos
More than $18 million has been stolen by online scammers from a management company that oversees a portfolio of residential buildings in Battery Park City, according to multiple sources directly familiar with the situation. These funds were collected from condominium owners as part of their monthly common charges and entrusted to Milford Management by various condo buildings for remittance to the Battery Park City Authority (BPCA) in satisfaction of ground rent and “payment in lieu of taxes” (PILOT) obligations. These payments are submitted to the BPCA on a quarterly basis.
Shortly before the electronic transfer of funds was slated to take place at the end of June, an impostor posing as an employee of the BPCA emailed Milford’s finance team and instructed them to direct the funds to a new account at TD Bank. The missing funds were not detected until mid-July, when the BPCA notified multiple buildings that their accounts were past due.
In a July 29 letter to condominium owners at the affected buildings, the firm wrote, “Milford Management has been the victim of a sophisticated fraud involving funds intended to be wired to the Battery Park City Authority for ground lease rent and PILOT payments. Your building is among those whose funds were stolen.”
The letter further explained, “the matter is currently under investigation by the Department of Homeland Security [which] is leading a multi-agency task force. Their investigation is still in its early stages, so there is much that is not yet known. We can tell you that it appears the thieves were able to set up a bank account at TD Bank impersonating BPCA, then used spoofed BPCA email addresses to induce wire transfers into the account. As a result, BCPA never received the payments.”
“Upon learning that the funds had not been received, Milford Management immediately contacted the banks involved, as well as law enforcement authorities. The law enforcement and banking investigations will determine the extent to which the funds can be recovered, but in the meantime, we have notified the relevant insurance carriers,” the company added.
Jim Haggerty, a spokesman for Milford Management, told the Broadsheet, “As this fraud is the subject of an ongoing law enforcement investigation, we will have no further comment on the matter.”
Nick Sbordone, a spokesman for the BPCA, said, “the Authority has been made aware of a cyber incident resulting in payment issues that affected several buildings in Battery Park City. BPCA was not involved in this incident, and its operations are not impacted. BPCA understands that this incident has been reported to the relevant law enforcement agencies and that an investigation is ongoing. BPCA will continue to work with residents of the affected buildings, the property management company, and law enforcement agencies as the investigation continues.”
A TD Bank spokesperson did not respond to a request for comment, nor did a representative from the Department of Homeland Security.
A board member at one of the condominium buildings affected by this theft (who requested anonymity), said, “I think the important part of the story, which isn’t getting much focus, is that Milford lost more than any other owner. They weren’t just being careless with our money. It was their money, too.” This was a reference to the fact that Milford Management is a subsidiary of Milstein Properties, a real estate development firm that originally built half a dozen residential buildings in the community (including all those containing the word “Liberty” in their names), and still owns considerable stakes in several of these. In its ongoing capacity as the owner of many hundreds of condominium apartments in Battery Park City, Milstein Properties contributed a significant percentage of the money that has now disappeared. (Milford also manages several local condominium buildings that were not developed by Milstein Properties.)
“I believe it’s just a cautionary tale about cybercrime,” this condo board member continued. “Milford itself is not the villain here, yet. They are the fool. It remains to be seen if they will act like a villain or not.”
This was a reference to the ambiguity surrounding the status of the lost funds. Each party to the transaction that has been hacked is likely to disclaim financial responsibility (and liability). The BPCA can argue that they never received funds they are owed. The boards and unit owners of condominium buildings affected by the theft can point to the fact that they paid what they owed and entrusted these funds to Milford. And Milford might allege that TD Bank didn’t have sufficient controls in place to prevent such a theft.
All parties involved are likely to be reviewing their insurance coverage. While management companies and individual condominiums routinely carry protection against generalized crime, these policies typically carve out what insurers call “sub-limits” for two categories of criminal activity relevant to this incident: “social engineering fraud” and “cyber liability.”
Social engineering fraud refers to a hacker impersonating a trusted individual to induce the victim into releasing funds to an unauthorized recipient. Cyber liability is a broader category of losses arising from illicit electronic activity, such as data breaches or cyber attacks.
The sobering news for the holders of such policies is that while overall crime coverage usually stipulates generous protection (typically several million dollars), the sub-limits for social engineering fraud and cyber liability are generally a small fraction of this amount, typically capping any protection at around $250,000.