Fraudsters used a phishing scheme to divert $10 Million dollars from a real estate technology company. This resulted in a contentious insurance lawsuit. The Court in Texas recently stayed proceedings based on "new developments." Apparently, both sides are asking for 120 days to recoup millions of dollars from somewhere else, but from where?
Let's start with the who and the what:
RealPage
RealPage provides software and data analytics to the real estate industry. It also provides back office management services for owners and managers of various property types.
RealPage also provides a service where it collects rental and other payments from residents and transfers those payments to clients. To do this, RealPage provides a web portal that residents at certain client properties can access to make their payments.
The web portal relies on a third-party software application to allocate and direct the resident payments. The application directs the payments to a bank clearing account, and then transfers those funds to the appropriate client's bank account.
Clients pay transaction fees to RealPage for these services, which are directed to RealPage's bank account through the third-party software application.
The Insurance Policy
RealPage purchased a Primary Commercial Crime Policy from an insurance company to provide coverage for losses arising out of various financial crimes, including computer fraud and other fraudulent transfers of funds.
Pertinent language in the insurance policy states:
Computer Fraud
We will pay for loss of or damage to “money”, “securities” and “other property” resulting directly from the use of any computer
to fraudulently cause a transfer of that property from inside the “premises” or “banking premises”:
a. To a person (other than a “messenger”) outside those “premises”; or
b. To a place outside those “premises”.
Funds Transfer Fraud
We will pay for loss of “funds” resulting directly from a “fraudulent instruction” directing a financial institution to transfer, pay or deliver “funds” from your “transfer account”.
The Phishing Scheme
In May 2018, unauthorized parties used a targeted phishing scheme to obtain and alter the account credentials of a RealPage employee. The fraudsters used those credentials to access the third-party software application to change certain bank account disbursement instructions.
By changing those instructions, the fraudsters diverted more than $10 million that RealPage collected through the web portal before the funds were disbursed to several clients.
While some of the funds were ultimately recovered, RealPage lost more than $6 million that was never recovered.
Insurance Company's Response
RealPage gave notice of the incident to the insurance company. Initially, the insurance company denied coverage. After further consideration, the company agreed that the incident triggered coverage under the Primary Crime Policy's Computer Fraud insuring agreement. The insurance company, however, accepted coverage only for a limited portion of RealPage's losses consisting of diverted funds that it calculated as representing transaction fees owed to RealPage by its clients.
The carrier asserted that the Primary Crime Policy did not cover the majority of RealPage's losses consisting of diverted funds that would have been sent to client bank accounts, claiming that RealPage did not “own” the funds or “hold the funds for others.” The insurance company denied coverage for these amounts.
On June 5, 2019, RealPage sued the insurance company.
The Parties Ask to Pause
Two months later, on August 1, the parties filed a joint motion asking to stay the action for 120 days.
In the joint motion, the parties said a 120-day stay of proceedings is needed because RealPage has learned that a portion of its claimed damages may be recouped from a "previously unknown source" and is currently considering this possibility. RealPage claims that it needs to investigate "new developments" related to its damages and to give the parties a chance to resolve at least a portion of the dispute without litigation.
The Court granted the joint motion and stayed the case stayed until December 2, 2019, at which point the stay will be automatically lifted.
New Developments?
What new developments? This cryptic public document leaves one to imagine that maybe RealPage and the insurance company have found a way to recoup the remaining $6 Million from the actual perpetrators.
It is possible (although highly doubtful) that with the insurance company's resources and the help of law enforcement, the funds have been tracked and are sitting in a foreign back account waiting for the necessary paperwork before being released. In most situations, however, the money is long gone.
Another possibility is that a company like RealPage probably has a stand-alone cyber policy and the insurance companies are squabbling over which policy (Cyber or Crime) should cover this incident.
Maybe, RealPage and the insurance company are considering whether some other party is at fault for the diverted funds. Maybe, they are investigating whether the third-party who provided the software for the web portal is at fault. Similar to Delta Airlines' lawsuit against its software provider after Delta was the victim of a data breach, RealPage could be considering a lawsuit against the software provider. Maybe the insurance company will fund the litigation against the software provider to recoup the funds.
As I've said before, "litigation begets litigation" and software providers should beware because they will become the target of lawsuits when a company suffers a cyber incident.
Whatever it is, we have to wait until December 2 for this "previously unknown source" to be revealed.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP
