Seafood importer Aqua Star has lost a coverage dispute over a loss that occurred when its employees were tricked into wiring money into the wrong bank accounts.
According to Court statements, the firm’s supplier — Zhanjiang Longwei Aquatic Products Industry Co. Ltd.– was hacked in 2013 and the hackers spoofed emails to the employees, providing false routing information.
In the spoofed emails, the hackers directed an Aqua Star employee to change the bank account information Aqua Star had on record for Longwei for future wire transfer payments.
The Aqua Star employee inserted the revised banking information into Aqua Star’s computer system, which was then used to create Wire Confirmation Detail instructions that were transmitted to Aqua Star’s bank, the Bank of America. As a result, USD 713,890 was wired to the hacker’s account before the fraud came to light.
The US District Court for the Western District of Washington agreed with Travelers Casualty and Surety Company of America insurer that Aqua Star’s computer fraud policy did not provide coverage because an employee had copied information from the spoofed email and saved it into a spreadsheet on the Aqua Star system.
The firm’s policy excluded coverage for losses caused, even in part, by an authorized user’s entry of electronic data into the company’s computer system.
Under this ruling, Aqua Star’s computer fraud policy did not provide coverage for one of the most prevalent computer fraud scams being perpetrated today.
Cyber Security Business highlights that the Court’s decision offers guidance to fidelity insurers with respect to the application of the “authorized entry” exclusion found in the base wording of many commercial crime policies and illustrates how this exclusion may operate in the context of a social engineering fraud loss.