A cyber insurance fight after two data breaches at the same organization.

In what should receive attention from all financial institutions, Virginia-based National Bank of Blacksburg, breached twice in eight months, sued its insurance provider for not covering its $2.4 million losses.

Brian Krebs in his blog KrebsOnSecurity reported hackers broke into the Virginia financial institution on two separate occasions due to an employee falling victim to a phishing attack.

According to Krebs, the email let hackers install malware on two computers at the financial institution. This allowed the invaders to access the STAR Network, a system run by First Data to process debit card transactions. The second computer managed customer accounts and their use of ATMs and bank cards.

Hackers then disabled and modified anti-theft and anti-fraud protections, such as personal identification numbers, daily withdrawal and debit card usage limits, and fraud score protections.

National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday (Memorial Day). The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

Derek Lin, chief data scientist at San Mateo, Calif.-based Exabeam, which provides a security Intelligence Platform, commented: “Many network attack vectors start with a link to a phishing URL, a carefully crafted email containing the malicious link sent to an unsuspecting employee.” Lin explains once clicked, the cycle of information loss and damage begins. Any company housing sensitive data, and in the case of financial institutions, people’s money and livelihoods, should aim to nip this problem early on by identifying and alerting on these malicious links.

Krebs noted following the 2016 breach, National Bank hired a cybersecurity forensics firm to investigate. The company determined the hacking tools and activity appeared to come from Russian-based Internet addresses.

In January 2017, according to the lawsuit, hackers again broke into the bank’s systems using a phishing email. The hackers not only regained access to the STAR Network but also compromised a workstation with access to Navigator, used to oversee credit and debit accounts.

Before completing the second attack, the hackers used the Navigator system to fraudulently credit more than $2 million to various National Bank accounts. As with the first incident, the hackers effected their break-in on a weekend, between Jan. 7 and 9, 2017. The hackers modified or removed critical security controls and extracted the fake credits using hundreds of ATMs. The bank’s total reported loss from that breach was $1,833,984.

Krebs reported National Bank in its lawsuit said it had an insurance policy with Everest National Insurance Company for two types of coverage or riders to protect it against cybercrime losses. The first was a computer and electronic crime rider that had a single loss limit liability of $8 million, with a $125,000 deductible. The second was a debit card rider, which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy had a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined the debit card rider covered both the 2016 and 2017 breaches exclusively. The insurance company said the bank could not recover lost funds under the C&E rider because of two exclusions in that rider.

“In its Coverage Determination, Everest further determined that the 2016 Intrusion and the 2017 Intrusion were a single event, and thus, pursuant to the Debit Card Rider, National Bank’s total coverage under the Bond was $50,000.00 for both intrusions,” the bank said in its lawsuit.

“There are many public and commercial data providers that offer blacklisting services or databases for potential phishing domain/URL lookup,” Lin noted. However, newly-crafted phishing URLs are difficult to identify this way. “New machine learning approaches actually flag a suspicious phishing URL previously unknown to blacklist data providers and should be considered by frequently targeted industries, like banking and finance.”

Lin also suggested financial institutions should also have security information and event management and user and entity behavior analytics solutions in place on their networks to ingest all alerts and events, create baseline activity to detect anomalous behavior, and prioritize incident response.”