Company Suffers $588,000 Cyberheist ? Judge: "Too Bad"
Cyber security experts are expressing serious concern over a decision on a cyberheist lawsuit case by a Judge from Maine last week. If his ruling is adopted by other U.S. district courts it will make things more difficult for other cybercrime victim businesses to dispute the effectiveness of security measures employed by banks and increase the burden on companies already struggling within a failing economy.
Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank in May 2009. The case has slowly moved through the system, but there is news. The original lawsuit alleges that Ocean Bank did not do enough to prevent cyber criminals from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period.
Note that businesses do not have the same legal protections against online banking fraud that consumers enjoy. Consumers generally have 60 days from receiving a bank statement to dispute any fraudulent charges, and in nearly all cases those charges will be reversed. But both for-profit and non-profit organizations that experience fraud with their online banking accounts usually lose any money from unauthorized transactions that aren't reported to the bank within 24 hours, and even then there is no guarantee that all or any of the fraudulent transfers will be reversed or halted.
According to the Patco?s filed complaint, the fraudulent transfers began when cyber thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257. For more details on this cyberheist:
Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security — Krebs on Security
The question becomes "how did the bad guys gain access to this company?s online accounts"? And one can quickly conclude that it was through some unsuspecting employee getting phished and opening up the network foran infection, likely with the ZeuS malware.
This case clearly shows you need state-of-the art endpoint protection, that gets updated with high frequency, and has a very high percentage score of proactive protection. VIPRE comes to mind for sure.
Also an obvious conclusion is that if you want to protect your network from external cybercriminals, have another look at Defense-in-Depth. Here is a page that will get you the concept in a nutshell:
KnowBe4 | Defense-In-Depth
