Cyberattack caused Bergen County borough to misdirect tax payments, lawsuit says

Aug 5, 2025

A Cresskill company alleges that “preventable cyberfraud” within the borough’s tax collector’s email account allowed over half a million dollars in property tax payments to be misdirected.

In a lawsuit filed in state Superior Court by 45 Legion Drive in late July, the LLC said an unknown third party accessed Cresskill Tax Collector Ada Vassallo’s email repeatedly between February and May 2024. The suit says falsified wire instructions regarding the LLC’s property tax payments to the borough were sent to 45 Legion.

Borough Administrator Dianne Lavin and Mayor John Morgan did not return emails seeking comment. Eric Kanefsky, one of the attorneys for Legion, did not provide further comment.

The LLC owns the office building at 45 Legion Drive, which houses several businesses, including RD Legal Funding.

The suit says that because of these false emails, Legion wired “hundreds of thousands of dollars” to an account it believed was the municipality’s “legitimate bank account.” The lawsuit says over $550,000 in false payments were made.

The borough knew about the “suspicious activity” in February 2024 but failed to inform Legion, disable the email account or “implement even rudimentary safeguards to protect taxpayer funds,” the suit says.

It further accuses Vassallo of being aware of the breach for months and failing to investigate or secure the system. The suit says the inaction left the borough’s “information technology and communications systems vulnerable.”

Legion said the municipality’s failure to protect its IT system resulted in substantial spending on forensic investigation and remediation, with nearly $200,000 still unrecovered. The lawsuit says it also caused “significant business disruption and reputational harm.”

The lawsuit outlines the communications between Legion’s manager, Roni Dersovitz, and Vassallo regarding the property’s tax lien and property taxes. The suit says Dersovitz received an email he thought was from Vassallo with the wiring instructions for the payments via wire transfer.

According to the lawsuit, in July 2024, Dersovitz told a clerk in the tax collector’s office that the borough’s online tax records “did not accurately reflect” the property’s tax payments.

“Cresskill subsequently determined that it had not received 45 Legion’s payments and that Ms. Vassallo had been the subject of a business email compromise cyberattack that had compromised the tax office account,” the suit says.

It says the fraudulent activity was made possible by the borough’s “inadequate cybersecurity measures,” which allowed Vassallo’s email to be spoofed “and was compounded” by the failure to report the cyberattack and to notify the affected taxpayers.

The suit says Cresskill held a meeting after the exposure of the attack and Vassallo admitted to Dersovitz that she had issues with the tax office account beginning in February or March 2024, such as not receiving emails. Additionally, the suit says, Mike Hamlet, the Cresskill director of technology, had said he noticed “suspicious activity” on the email server going back to February or April 2024.

The lawsuit accuses Cresskill and Vassallo of negligence and is seeking compensatory, special, consequential and incidental damages, plus interest, prejudgment, punitive damages and lawyer fees.

Article source here: northjersey.com