PC store told it can't claim full cyber-crime insurance after social-engineering attack
Two different kinds of fraud, says judge while throwing out lawsuit against insurer
A Minnesota computer store suing its crime insurance provider has had its case dismissed, with the courts saying it was a clear instance of social engineering, a crime for which the insurer was only liable to cover a fraction of total losses.
SJ Computers alleged in a November lawsuit [PDF] that Travelers Casualty and Surety Co. owed it far more than paid on a claim for nearly $600,000 in losses due to a successful business email compromise (BEC) attack.
According to its website, SJ Computers is a Microsoft Authorized Refurbisher, reselling Dell, HP, Lenovo and Acer products, as well as providing tech services including software installs and upgrades.
Travelers, which filed a motion to dismiss, said SJ's policy clearly delineated between computer fraud and social engineering fraud. The motion was granted [PDF] with prejudice last Friday.
In the dismissal order, the US District Court for Minnesota found that the two policy agreements are mutually exclusive, as well as finding SJ's claim fell squarely into its social engineering fraud agreement with Travelers, which has a cap of $100,000.
When SJ filed its claim with Travelers, the court noted, it did so only under the social engineering fraud agreement. After realizing the policy limit on computer fraud was 10 times higher, "SJ Computers then made a series of arguments – ranging from creative to desperate – to try to persuade Travelers that its loss was not the result of social-engineering-fraud (as SJ Computers itself had initially said) but instead the result of computer fraud," the district judge wrote in the order.
SJ Computers' case is a fairly cut-and-dried instance of BEC, which involves an attacker gaining access to a legitimate email account they use to trick a business into transferring funds or sending sensitive data to attacker-controlled accounts.
In SJ's instance, an attacker sent fake invoices to SJ's purchasing manager then gained access to the purchase manager's email account in a method not specified in the lawsuit or dismissal order.
Once inside, the attacker sent the purchase agreements to SJ's CEO, who typically signs off on such orders, court documents said. Because the fraudulent invoices included a change of bank account information, the CEO called the vendor for confirmation, but got no response before the deadline listed on the invoice.
- Samsung heir pardoned after doing time for bribery
- Apple says 2017 MacBooks don't have FlexGate defect. Aussie tribunal orders a fix anyway
- Google fined $42.5m over misleading Android location settings in Australia
- Court voids 34,000 unfair Fuji Xerox contracts
Without word back, SJ initiated two wire transfers totaling $593,555, and didn't discover the fraud before the payments had cleared.
According to the court's dismissal filing, Travelers defines computer fraud, which it covers up to $1m, as "as intentional, unauthorized, and fraudulent entry or change of data or computer instructions directly into a computer system." At the same time, Travelers' computer fraud policy states that such entries or changes made by employees or authorized persons on the bases of fraudulent instructions is not covered.
Social engineering fraud, which is what Travelers agreed to cover SJ under, is defined in the policy as "the intentional misleading of an employee or authorized person by a natural person impersonating [vendors, clients, employees or authorized persons] through the use of a communication."
"It is clear from the complaint… that SJ Computers' loss is covered under the social-engineering-fraud agreement and not under the computer-fraud agreement," the order said.
SJ Computers did not suffer a penny of financial loss when the bad actor hit "send" on his email messages. And SJ Computers would never have suffered a penny of financial loss if the CEO had not opened those email messages, or if the CEO had asked the purchasing manager about them, or if ERI Direct had answered its phone when the CEO called, or if ERI Direct had promptly returned the voicemail message left by the CEO, or if the CEO had waited to hear from ERI Direct before paying the invoices.
According to Chief District Judge Patrick Schiltz, who handed down the order, this case treads somewhat new legal ground. In the opinion, Schiltz noted that both SJ's lawsuit and Travelers' dismissal motion only cite three other cases, all from different jurisdictions, that "analyze the concept of direct causation in the context of computer or social-engineering fraud."
All of those cases had a major difference in common, the court pointed out – none of them involved insurance policies that cover both computer and social engineering fraud, or make clear that the two types of fraud are different, mutually exclusive categories.
This case, therefore, is less of a litmus test for the future of legal disagreements around social engineering insurance payouts, and more an examination of a close reading of contracts.
"[Travelers'] Policy clearly anticipates – and clearly addresses – precisely the situation that gave rise to SJ Computers' loss, and the Policy bends over backwards to make clear that this situation involves social-engineering fraud, not computer fraud," Schiltz said. ®