The National Bank of Blacksburg is suing an insurance firm over payouts related to two phishing attacks in the space of a few months which saw crooks steal more than $2.4 million.
In a suit first reported by blogger Brian Krebs, the bank says that in 2016 a phishing email hooked one of its staffers, planting malware that enabled criminals to remotely control a workstation which had access to First Data's Star Network for card payments. This enabled the thieves to remove and modify security measures and then, over a weekend in May, use hundreds of ATMs across the US to steal funds from customer accounts, leading to a loss of more than $560,000.
Following the incident, the bank worked with First Data to roll out additional security protocols, called the Velocity Rules. However, eight months later hackers again gained access to the bank's systems via a phishing email, getting to the Star Network, as well as Navigator, software used to manage credits and debits to customer accounts. The thieves used Navigator to fraudulently credit more than $2 million to customer accounts before carrying out another ATM cash-out operation, stealing more than $1.8 million.
The bank is now suing Everest National Insurance Company for breach of contract and bad faith denial of coverage.
The bank's suit says that its bond with Everest contains two riders. The first, a C&E rider which provides coverage for losses which "result directly from an intrusion" into its computer system, has a single loss limit liability of $8 million. The second, a debit card rider which provides coverage for losses which result directly from the use of lost, stolen, counterfeit or altered cards, has a single loss limit of liability of just $50,000 and an aggregate limit of $250,000.
Everest denied coverage for both attacks under the C&E crime rider, asserting that they were covered by the debit card rider. The insurer cited two exclusions in the C&E rider and also determined that the two attacks were a single event, meaning that the bank's total coverage was just $50,000.
The bank is suing, arguing: "But for this unlawful hacking and the intrusions into its computer systems, National Bank would not have suffered any losses," adding: "Critical to this Court’s analysis of National Bank’s claims, none of the losses arise from a National Bank customer’s debit card being stolen, or from their debit card information being stolen directly from a National Bank customer’s possession without their knowledge or permission."