Testimony of Bill Conner, President and CEO of Entrust

Before the Subcommittee on Communications and Technology
of the Energy and Commerce Committee
U.S. House of Representatives

Part 7

Malware Hitting Home

Let me give you a real-life example. Plano, Texas-based Hilary Machinery, one of the largest machine tool distributor service organizations in the southwest, had $800,000 drained from its bank accounts in two days. It wasn’t the company’s financial institution that discovered the error. It was Hilary Machinery itself.

Between November 9-10, 2009, PlainsCapital Bank received fraudulent wire-transfer instructions from a group that infiltrated the bank accounts of Hilary Machinery. Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500. Each transfer was made to a different account, which was highly unusual, and outside the norm for the company. PlainsCapital Bank was able to recover all but approximately $200,000 of the lost funds.

Now, who is responsible for the loss was a matter of question. Hilary Machinery believed that PlainsCapital should have been held liable, sued the bank and demanded repayment of the remaining $200,000.

In turn, PlainsCapital counter-sued, saying their security was, in fact, reasonable by industry standards and that it processed the wire transfers in good faith. The lawsuit was eventually settled, but the point is that this could have happened to any small business in terms of the attack and fallout. Compounding the problem is that, if this theft had affected an individual, at least the FDIC would have made them whole. But small-business accounts aren’t protected. So they are out the money unless they have the means to sue and the amount of loss is more than the cost of litigation.

Also, this is the silent crime. Small businesses that have been hit do not have PR shops or press agents and have little reason to let the public know they have been impacted. And the banks have little incentive to tell consumers that their fraud detection and passcode methods do not actually work against such threats. So while this cybercrime is widespread, you do not hear about it and that leaves more and more companies unaware that they need to do more.