Thieves drained $800,000 from a fuel distribution company in the US state of North Carolina earlier this month - a loss that the company thinks might have something to do with its bank having recently upgraded its security system.
According to security journalist Brian Krebs, the loss could have been a lot less if the bank or the targeted company - Mooresville, N.C. based J.T. Alexander & Son Inc. - had noticed the penetration earlier.
As it is, the attackers drained money for five days before a reporter notified either business of what was going on. Krebs didn't identify the reporter.
On the morning of May 1, the cyber thieves started carving out sub-$5,000 and sub $10,000 chunks of cash from J.T. Alexander's bank, Peoples Bancorp of North Carolina Inc.
They then sent the money via automated clearing house (ACH) payment to about a dozen money mules who laundered the stolen funds.
On top of the funds stolen from the bank, the ACH payments themselves were deducted from J.T. Alexander's payroll account, Krebs writes.
David Alexander, J.T. Alexander & Son’s president, told Krebs that the loss was “pretty substantial” and “painful” for the small company, which employs a staff of only 15.
The company typically spends less than $30,000 on its total payroll every two weeks. In five days, the crooks managed to steal more than a year's worth of salaries.
While J.T. Alexander & Son may be able to get some financial relief for cyber fraud losses from its insurer - Employer’s Mutual Casualty Company (EMC) - it will be far less than what the company lost, according to what EMC adjuster Jim Mitchell told Krebs:
"They’ve got some specific coverage, but unfortunately the amount of coverage they’ve got is not going to cover anywhere near the amount of money they lost."
According to the victimized company, its bank upgraded its security system a mere month before the theft.
Prior to the upgrade, J.T. Alexander & Son's controller was required to enter a login ID, password, and a six-digit code to be read by an automated system at the bank. That automated system would then call the company.
Kristie Williams, who works in accounting and finance for J.T. Alexander, told Krebs that the security change - of which she wasn't aware - entailed transforming what was once a single-IP-controlled process into something a whole lot more promiscuous:
"... It used to be we could only access the bank’s site from my computer. … The way [the bank] changed it, anybody anywhere could access it as long as they had my login, and apparently that’s what happened because the logins came from a different IP address than our normal one. I think they made it more convenient, but less secure. I wasn’t aware all of that had changed.”
The bank didn't return Krebs's calls requesting comment.
At first blush, it looks like both the bank and the business might share the blame for the loss, but as Brian notes, it's the victim who tends to bear the liability.
Krebs includes a link to a set of online banking best practices for businesses that should help to protect businesses from being victimized in this manner.
Last year, I attended a great talk at Source: Boston about cyber liability insurance, given by Jake Kouns, director of cyber security and technology risks underwriting at insurer Markel Corp.
I was lucky enough to get him in front of a camera so as to glean some tips on buying such policies. Here's a link to the video.
There's a lot to know about these insurance policies, but here's a good first lesson: a general liability policy won't cover your organization.
The costs can be devastating, as J.T. Alexander & Son is now experiencing.
Hopefully, your business won't suffer the same fate. But in case it does, be prepared.
Now is the time to learn about the ins and outs of insurance, not after your business gets drained and your insurer tells you that you really don't have much in the way of coverage.