NC Fuel Company Loses $800K to Cyber-Thieves

Here is a perfect example of what I was talking about in my last post.   To read the full gruesome details go to the Sophos blog.

Basically, a small, 15 employee fuel distribution company in North Carolina suffered an $800,000 loss due to changes that their bank made to the security of the online banking system.  The old system required a user to log in from a known and approved IP address, enter a password and a secret PIN number, and then the bank would call back using an automated dialer.  The online transaction would be connected only if every step completed successfully.  In this way, online financial transactions could only originate from computers inside the company’s building.  This, actually, is quite secure and almost impossible to spoof. 

The bank had recently changed their system to allow users to logon from any IP address, certainly more convenient, but less secure.

The thieves attacked their payroll account, removing amounts below $5000 and $10,000 and sending the money via ACH to money mules who laundered the funds and sent them on to the ringleaders.  The theft continued for 5 days before it was detected.

Bi-weekly payroll for the company is typically about $30,000, so the lost funds amount to about a years wages and salaries for the company.  The company’s insurance policy covered some of the loss, but not much, due to low limits in the policy.  The bank, of course, is not taking any responsibility for the losses.  According to the CEO, this is a significant and painful loss for the company.

So the lessons here?  Longer, harder to crack passwords for starters, but you ought to have your online banking system reviewed by a computer and network security specialist, who can advise you about how well your bank is protecting your accounts from online attacks.  Just remember, if it is easy and convenient for you to use their system, it’s easy for the bad guys, too.  Also, take a look at your business general liability policy.  It is unlikely that there are any significant protections for cyber-crime and financial fraud of this sort.  you may have to invest in a separate policy or a special rider in order to be covered from this sort of theft.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.