Hackers Breached Virginia Bank Twice in Eight Months, Stole $2.4M

Brian Krebs reports: Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses. According to a lawsuit filed last month in the Western District of Virginia, the first heist took place in late May 2016, after an employee at The National Bank of Blacksburg fell victim to a targeted phishing email. The email allowed the intruders to install malware on the victim's PC and to compromise a second computer at the bank that had access to the STAR Network, a system run by financial industry giant First Data that the bank uses to handle debit card transactions for customers. That second computer had the ability to manage National Bank customer accounts and their use of ATMs and bank cards.

Re:Insurance didn't protect them

[xxxJonBoyxxx]

I think they just found out that "cybersecurity insurance" is a joke: one missing patch or badly configured machine and your insurer will deny you. Remember, these are that same folks that manage medical insurance - you sure you want a bunch of "claim denied" messages when your IT systems go t**s up?

Twice?!?!

[Major+Blud]

Now the financial institution is suing its insurance provider for refusing to fully cover the losses.

Hack me once, shame on you, hack me twice, shame on me?

Seriously, 8 months passed between the phishing incidents. That's plenty enough time to do a security audit and train your staff, and the insurance company knows that.

Re:This is the new reality of banking security

[Rick+Schumann]

It's no longer about preventing attacks from happening, but accepting that they are going to happen

Bullshit. There's a word for what you're talking about: surrender. In 2018 people should be smarter and systems should be more secure, but for some reason they're not. This needs to be FIXED. Throwing up your hands and saying "Oh well, guess that's just the way it is!" is cowardly and idiotic in the extreme. If what you're saying was actually true then the only course of action anyone with an average IQ or above could logically take would be to pull all their money out of all accounts and keep it at home in a safe buried in the ground, or at least stashed in a safety deposit box at a bank, or similar hardened secure facility, and pay cash for everything, forever. Banks would fold, e-commerce would dry up and die, as we functionally went back to no later than the 1950's. It's bad enough that I see how many breaches of financial systems there are all the time and have had to personally resort to paying cash for everything I do in person (to reduce my overall exposure to risk) but to just give up is nonsense. We have to do better, we have to fix the security problems.

Illiterate IT People

[chill]

Part of the problem, if judging by the existing 41 comments here on Slashdot, is IT people either *can't* or *won't* read. All y'all are bitching about an insurance company denying the claim, etc.

They didn't deny the claim! There are *two* policy riders possibly that cover situation and the insurance company is claiming the one with the $250,000 cap is the one that applies -- so paid that one.

It is an interesting *legal* situation, but totally not at all what the slashmob is whining about.