Hackers Stole $2.4M From Virginia Bank and Insurer Denies Coverage
On two separate occasions, hackers were able to infiltrate The National Bank of Blacksburg's computer system resulting in the bank losing approximately $2.4 million. Of course, banks have insurance for these types of losses, but Everest National Insurance Company believes this type of loss is not covered under its insurance policy. As expected, National Bank has filed a lawsuit against Everest and the parties now have to wade through litigation.
On June 28, 2018, National Bank filed its complaint in the United State District Court for The Western District of Virginia. The complaint tells a story that is becoming common in the cyber age.
The Insurance Bond
According to the Complaint, National Bank purchased an insurance bond from Everest that included a Computer and Electronic Crime Rider. The Crime Rider covers losses up to $8 million with a $125,000 deductible. The Bond also contains a Debit Card Rider that cover a single loss up to $50,000 and an aggregate limit of $250,000.
The Star Network
National Bank uses STAR Processing, Inc. (or FirstData) to provide bank card processing services for National Bank customers. FirstData provides bank card processing services to National Bank through the Star Network. The Star Network is a debit payment network that allows National Bank customers to use their bank cards at automatic teller machines (ATMs) and retailers.
National Bank employees access the STAR Network through a web portal, which is only accessible through certain computer workstations, which themselves are only accessible by certain National Bank employees. The STAR Network web portal allows National Bank employees substantial control over the parameters of National Bank customers' use of their bank cards. These parameters include the ability to remove or alter anti-theft and anti- fraud protections such as 4-digit personal identification numbers (PINs), daily withdrawal limits, daily debit card usage limits, and fraud score protections.
The First Hack
According to a report prepared by the digital forensics and security firm, Foregenix, the hackers gained access to National Bank's computer system through a phishing email that allowed the installation of malware.
Russians are the suspected culprits.
The phishing email allowed the hackers to install additional unknown malicious computer script or malware to remotely control workstations. One of the workstations had access to the STAR Network and the ability to manage National Bank customer accounts and their use of ATMs and bankcards.
Beginning on Saturday, May 28, 2016 and continuing through the early morning of Monday, May 30, 2016 (Memorial Day), the hackers used hundreds of ATMS across North America to dispense funds from National Bank customer accounts. The total loss resulting from the fraudulent disbursements, related fees, and other incidental transactions was $569,648.24
After being notified of the criminal activity, National Bank took steps to prevent further withdrawals from customer accounts. National Bank credited all customer accounts for any unauthorized activity.
After the incident, National Bank, with advice from FirstData, implemented additional protocols known as "Velocity Rules."
National Bank then made its first claim to Everest seeking coverage for the loss. Everest issued a coverage determination denying insurance for the hack under the Crime Rider. Everest determined that the loss was covered solely under the Debit Card Rider with the lower limit of $50,000.
The Second Hack
Despite the additional security protocols, National Bank suffered a second hack in January 2017. The Bank believes the same people (Russians) were involved in both hacks.
Verizon investigated the second hack. According to Verizon's report, the second hack stemmed from a phishing email containing a malicious macro Word document that dowloaded malware capable of stealing usernames, passwords and controlling the bank's computer system.
In two days, the hackers were able to use hundreds of ATMs to access funds from customer accounts in a coordinated enterprise. The total loss resulting from the disbursements was $1,833,984.58.
Again, National Bank submitted the claim to Everest, and again, Everest denied coverage under the Crime Rider. Everest accepted coverage under the Debit Card Rider but claimed that the first and second hack were a single event, and thus, total coverage was only $50,000.
It's not surprising that National bank retained lawyers to sue Everest from wrongfully denying coverage. In the lawsuit, National Bank is seeking a declaration that Everest is obligated to provide full coverage for both hacks under the Crime Rider.
Everest argues that there are multiple reasons why the Crime Rider does not provide coverage.
The Real Issue
It appears that Everest is taking the position that because the hackers used ATMs to steal the money the Debit Card Rider, and various exclusions in the Bond apply. On the other hand, National Bank is taking the position that this loss resulted from a hack into its computer systems; therefore, the Crime Rider applies. The Crime Rider states that Everest is obligated to cover:
Loss resulting directly from an unauthorized party (other than an Employee) acting alone or in collusion with others, entering or changing Electronic Data or Computer Programs within any Computer System1 . . . operated by the Insured . . . [p]rovided that the entry or change causes: (1) property [e.g. money] to be transferred, paid or delivered, (2) an account of the Insured [National Bank], or of its customer, to be added, deleted, debited or credited, or (3) an unauthorized account or a fictitious account to be debited or credited.
This is an evolving area of the law. It will be interesting to see how the Court handles this case. Will the Court determine that the loss was a result of ATM use, or will the Court find that ATM use was merely incidental to the hackers intrusion into National Bank's computer system?