It was Aug. 9, a week before one of the most important race events at Laguna Seca, when track staff realized they’d been attacked by an unknown hacker.
The file server containing all shared data across the Sports Car Racing Association of the Monterey Peninsula, or SCRAMP, which runs the track, had been encrypted and sealed off. This hacking technique is known as a CrySIS ransomware attack. A ransom note appeared on screen, demanding a payment of one bitcoin in return for a restoration of the data. At the time, the price of a bitcoin was almost $12,000.
SCRAMP did not pay the ransom and, with some outside help, was able to purge the corrupt software in a few days. Employees across the organization had to change passwords and many lost network permissions. After investigating the incident, IT staff installed better defenses. “But how the hackers got in was never determined,” says Timothy McGrane, CEO of SCRAMP.
The data targeted by the attack was never recovered. “We went to our last backup, which was two months old,” McGrane says. “We had to re-create two months of work, which put us under a lot of pressure.”
McGrane and his group were under pressure already, and not only because summer months are some of the busiest at Laguna Seca. The source of the stress was the group’s agreement with Monterey County, which owns the track. SCRAMP’s contract to manage Laguna Seca is set to expire Dec. 31. County staff have signaled dissatisfaction with SCRAMP.
The desire to consider alternative management became official on Oct. 15 when Assistant County Administrative Officer Dewayne Woods put out a call for proposals for Laguna Seca. The announcement said the “current manager” is invited to submit a proposal and noted a deadline of Oct. 31.
“My first reaction was that this is unconventional,” McGrane says. “Only two weeks for a multimillion-dollar proposal request?” He believes Woods is trying to push SCRAMP out but says he will fight for a contract renewal, pledging to appeal to the county Board of Supervisors if necessary.
A local nonprofit made up of racing enthusiasts, SCRAMP has run Laguna Seca since the track’s establishment in 1957. In recent years, the track had fallen into disrepair and financial mismanagement. McGrane acknowledges the troubled times but says steps have been taken to improve the situation since he took over in 2018. He points to upgrades to visitor experience and the return of IndyCar racing after 15 years.
In January, McGrane and his board commissioned the firm Hayashi Wayland to conduct an assessment of the group’s accounting. He was hoping for guidance on how to fix problems he knew existed.
The firm completed its report on Feb. 13 and the Weekly recently obtained a copy. The report found “significant operational inefficiencies,” “numerous financial reporting and accounting weaknesses,” and “non-compliance with required audit reporting.”
Some of the problems resulted from the fact that many business transactions, like ticket and merchandise sales, were recorded by “manual journal entry.” Once recorded, much of the financial data existed only on Excel spreadsheets rather than in professional accounting software. Accounting work was never thoroughly reviewed, the report found, perhaps because there was “no permanent accounting staff remaining” to do so. The consultants observed that “customer checks are left out on desks or in stacks on the floor.” They warned of the potential for fraud “where there are assets susceptible to misappropriation and inadequate controls to prevent or detect the fraud.” Another red flag was that SCRAMP “had significantly underreported an outstanding debt.”
The most glaring deficiencies noted in the report are under the section titled “Cash Management.” There is a safe in the SCRAMP office and it was supposed to have $325,519 in it, money stored on-site since September 2018. The amount alone was alarming to the consultants: “The cash on balance was far in excess of normal operating requirements,” they wrote. When they counted the cash on Jan. 29, 2019, the consultants only found $290,748 – about $35,000 were missing.
Three days later, SCRAMP’s interim chief financial officer, Dennis McGoff, emailed the consultants with an explanation. According to the report, McGoff said the reason money was missing was that he “forgot” to provide another box containing cash. The consultants never verified McGoff’s explanation. But since then, McGrane says, the issue has been resolved and the money “accounted for.”
There were also concerns about security: “The amount of cash on site is not in a secure building or adequately guarded,” the report says. “Moreover, we did not detect any security cameras or electronic tracking of how many times someone accessed the safe. This represents a significant security risk to the organization and its employees.”
The SCRAMP safe is now empty. All cash has been deposited in the bank.
That the organization had accounting challenges was not a secret to Kimberly Marlar when she took a job as the chief financial officer, starting on Feb. 1. But the extent of the mess shocked her when, two weeks later, she read the consultants’ report. “If I had read the report I would have never taken the position,” she says. “I was really appalled.” Marlar did in fact quit her job a few weeks later. But Woods convinced her to accept a job as a county employee and stay on at SCRAMP to provide financial control.
It is nine months later and the accounting situation has not substantially changed, McGrane and others say.