Case Study: Cyber Security Incident and Response

THE PROBLEM:

On 4 November 2021, A Real Estate Company paid its weekly bill cycle, which included some commission payments to its salespeople. The company considered itself to have a ‘strong’ set of systems around its payments and information security.  

On 5 November 2021, the company C.E.O. and Principal Licensee received a call from two salespeople saying their commission had yet to arrive. The company and its salespeople all banked with tier-one banking institutions. 

A confirmation over the phone of the stored banking details for the salespeople confirmed the C.E.O.’s gut feeling. 

These accounts had been altered and were not the accounts of the intended recipients.

Whilst it was clear there was ‘foul play at hand, the company C.E.O. instantly felt ill, not knowing how many employee accounts might have been changed, as well as their creditor and supplier list.  

As it turned out, the company’s account details and the two salespeople’s bank accounts were altered in their accounting software. 

Just over $75,000 was ‘stolen’ by the Cyber Hackers.  

THE ANALYSIS:

A phone call to the company’s cyber insurer Aon, underwritten by C.F.C., immediately began the remediation process.  

The company C.E.O. listed all the stakeholders involved in the cyber fraud in a table with their contact information and organised an initial video conference for the key stakeholders.

There was work to do for each party. The company C.E.O. (also the Licensee) provided all information as quickly as possible to the relevant stakeholders. The company’s Administration Officer contacted each employee by telephone to inform them of the incident and check their personal information, including banking details, was correct.

To be sure, the company’s Financial Officer contacted each creditor and supplier before any future payments were made to ensure they had not been jeopardised.

The underwriters engaged a Cyber Fraud team to conduct an I.T. forensic investigation and Cyber Lawyers who would investigate the matter of a potential privacy breach.

The company’s C.E.O. told Aon that it was his firm belief that one person (in this case, him) controls all the communications between the stakeholders. This ensured consistency of communication between the stakeholders, and any response time for information requests by a stakeholder was minimal. The Company C.E.O. quickly cleared time daily in his calendar.

All passwords for the company were immediately changed by their I.T. support service, as well as Multi-Factor Authentication was reinstated, and email rules were deleted.  

The Cyber Fraud team found that the ‘hackers’ had been in the company’s system for months, presumably monitoring the movement of money to see who was getting paid and when.

A phishing email was found by the I.T. Forensic Team, which was sent to an email account the company had set up to capture industry news.  

This appeared to be the point of entry for the ‘hackers’.

Whilst the company felt they had tight I.T. and financial security controls in place, the ‘hackers’ managed to make themselves relatively invisible by conducting a combination of actions which included:

  • Turning off multi-factor authentication on the company’s accounting software;
  • Establishing email rules so that any changes to bank account details in the company’s accounting software were not visible to anyone and subsequently ‘double deleted’;
  • Adding additional email rules between the company’s C.E.O., Finance Officer and Sales Co-ordinator (who sends trust account disbursement requests to the C.E.O.), disabling any immediate email communication amongst those who move money within the company; and
  • Setting up Tier 1 Australian bank accounts at different institutions to house the stolen funds.
THE SOLUTION:

The company C.E.O. told Aon they would have been at a complete loss without the specific Cyber Insurance they carried. “Having the money returned by the underwriters was important, as it had long vanished from the bank accounts they set up. Notably, it was the rigorous remedial process and the advice we needed along the way which was the real benefit of having the insurance policy,” said the company C.E.O.

“I cannot even imagine what it would be like not to have this insurance”, the C.E.O. told Aon.

The company C.E.O. felt that their I.T. protection protocols and financial protection systematics were ‘tight’. The net situation is that there were several steps that the organisation had to introduce to reduce the risk of this reoccurring in the future. This advice was provided to the company as part of having the Cyber policy in place.

“If you are not well insured for Cyber fraud, you are mad. It isn’t just stolen money that can be a problem. It’s far greater than that!”.  This a simple yet telling statement from the C.E.O. of a well-regarded Real Estate Australian business.