Fool me once shame on you, fool me twice…
The National Bank of Blacksburg, a Virginia based bank, claims its insurance provider refused to cover the two in half million dollar loss the bank suffered from its 2016 and 2017 security breach. This breach happened not once, but twice in eight months after hackers broke into the Virginia financial institution via a convincing phishing email attack sent to an unwitting bank employee.
Brian Krebs in his blog KrebsOnSecurity reported the email hackers were able to install malware on the victim computer allowing the thieves to compromise a second computer with access to the STAR Network. The STAR Network is responsible for processing debit card transactions and managing customer accounts including ATM and bank cards.
It is unknown if the first compromised computer or user had authorized access to the STAR Network, but what is clear is the access to sensitive information on the STAR Network residing on the second computer certainly deserved stricter safeguards and protocols consistent of perhaps an air-gap or other mechanism preventing a non-authorized computer or user from gaining elevated privileges and access to the banks network.
Beginning Saturday, May 28, 2016 hackers modified anti-theft / anti-fraud protections disabling daily withdrawal and debit card limits allowing them to use hundreds of ATMs across North America. The timing of the attack occurred over Memorial Day weekend giving the hackers three days to dispense more than half a million dollars. The attack occurred again in January 2017, almost eight months later using the same phishing email attack, this time to the tune of just under two million dollars.
Krebs noted following the 2016 breach, The Blacksburg National Bank hired a cybersecurity forensics firm to investigate. The company determined the hacking tools and activity appeared to come from Russian-based Internet addresses.
The bank implemented additional security protocols to harden security policy and accesses in an effort to prevent a follow on attack. Unfortunately the unwitting insider threat (an employee clicking on a link in a phishing email) is the most difficult to prevent yet the easiest to educate. It till remains the most prevalent method for attackers to get inside the most secure network systems as was the case just eight months later.
With respect to the lawsuit filed by The National Bank of Blacksburg the Everest National Insurance Company is refusing to cover the two million dollar loss due to a debit card rider that only covers an aggregate limit of $250k for losses resulting directly from lost, stolen or altered debit cards. The primary rider is a computer and electronic rider with a single loss limit of $8 million. In June 2018, Everest determined the debit card rider covered both the 2016 and 2017 breaches exclusively, and said the bank could not recover lost funds under the primary rider.