Hackers used phishing emails to break into a Virginia bank’s computer system on two occasions over an eight-month span, according to a complaint filed with the U.S. District Court for the Western Division of Virginia. Their take was more than $2.4 million according to law enforcement officials. Forensic analysis attributes the thefts to Russian hackers.
The National Bank of Blacksburg is now suing their insurance company for its refusal to cover the losses.
In May 2016, employees at the bank received a phishing email encouraging them to click on a link. As a result, the hackers were able to install software on the employee’s computer to reach a second computer with access to the STAR financial network. That allowed the hackers to access customer accounts, ATM and debit cards.
The hackers then disabled PIN numbers and daily withdrawal limits and withdrew nearly $600,000 from hundreds of ATMs across the country.
The following January, after new security software was installed, the hackers cracked their system once again using another phishing email. They got into the STAR system a second time, as well as onto a workstation that provided access to customers’ accounts.
They then used this new workstation to credit over $2 million to a variety of the banks’ accounts, then withdrew nearly $2 million from the bank.
National Bank is now suing its insurance company, Everest National Insurance Company, to recover their losses. The issue of the lawsuit is based on the two types of rider coverage they have, a “computer and electronic crime” (C&E) rider that has a single loss limit liability of $8 million, and a “debit card rider” that provides coverage for losses which result directly from the use of lost, stolen, or altered debit cards or counterfeit cards in the amount of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.
The insurance company is willing to pay using the latter policy, but not the former, claiming the C&E has exclusions that exempt it from paying.
For more details you can check out the lawsuit here.