Last month a lawsuit was filed by The National Bank of Blacksburg has filed a lawsuit against their insurer, Everest National Insurance Company. The basis of the lawsuit is due to the theft of $2.4 million from the Virgina based bank over the course of two data breaches. This information comes primarily from the court filing from the Western District of Virginia.
The Data Breach
The National Bank of Blacksburg suffered two data breaches from the result of two seperate phishing email campaigns.
The first phishing campaign took place in late May 2016 and allowed the hackers to install malware on the initial terminal. After that another workstation was infected and this time it allowed the hackers to access the STAR Network, which is the bank’s system from First Point that handles all debit card transactions. This means hackers were now able to any customer accounts who were making use of their debit cards and the ATM.
It was at this point the hackers changed security rules, clearances, and even PIN numbers. Then on Saturday May 28, 2016 to Memorial Day, the hackers managed to steal approximately $569,000.
This of course was only the first incident, which was investigated by a security firm called Foregenix. Taking into account lessons learned and with some recommendations from First Point, the bank implemented fraud prevention security measures to prevent another incident from happening again. There measures are referred to as velocity rules.
Despite these new security measures the hackers, 8 months later in January 2017, once again gained access to the bank’s systems.
This time the breach was successful because of an employee opening a malicious Microsoft Word doc. contained in a phishing email. The hackers once again worked on a weekend and managed to steal $1.8 million this time. Verizon handled the second investigation and came to the conclusion that it was due to a phishing email.
Everest National Insurance Company refused to cover the total loss, which prompted the National Bank of Blacksburg to file their claim.
In a Krebs on Security interview with Charisse Castagnoli, adjunct professor at The John Marshall Law School, she states: “While it is fairly easy to write a policy around data breach liability, when it comes to actual intrusions and managing intrusions, it’s a wild wild west.” Insurance coverage, like any insurance is complicated when an event actually happens. Companies should review the specifics of contracts with legal and cyber security experts to ensure they receive the coverage they need.
Cyber Security & Moral Hazard
Cyber security is facing a similar problem that healthcare markets face, moral hazard, which is a type of market failure.
Moral hazard happens when a subject, company in this case, receives insurance coverage they have less incentive to take adequate precautions against harm. In this case not enough was done by the National Bank of Blacksburg to prevent a second data breach, especially considering the hackers used the same methods as the first time.
While getting insurance is recommended to recover from any losses in the event of a data breach, prevention is always preferable and cheaper.
In this case since both attacks happened due to targeted phishing campaigns. This indicates a need for security education, monitoring, and insider threat mitigation practices. Investment into improving process, technology, and employee knowledge could have gone a long way to prevent the costs of this data breach. Just because a company has insurance does not mean they can be careless when it comes to cyber threat risk mitigation. Until companies take security investment seriously, we can expect to see many more court cases where insurance expectations do not match the expectations of companies.