Peter A Clarke

Sometimes the figures are so staggering that one has to pause and ask, is that right?  Or even possible?!?

One of those moments came when reading the aerospace parts manufacturer FACC media report that it been the victim on cyber fraud and lost €50 million. Yes €50 million.  It provides:

On January 19, 2016 FACC AG announced that it became a victim of fraudulent activities involving communication- an information technologies. To the current state of the forensic and criminal investigations, the financial accounting department of FACC Operations GmbH was the target of cyber fraud. FACC’s IT infrastructure, data security, IP rights as well as the operational business of the group are not affected by the criminal activities. The damage is an outflow of approx. EUR 50 mio of liquid funds. The management board has taken immediate structural measures and is evaluating damages and insurance claims. All production- and engineering units operate in an unaffected and normal way. An economic threat to the company concerning liquidity does not exist. The management board will decide on further actions after the outcome of the forensic investigations is available. FACC AG will announce its Q3 results tomorrow, as scheduled.

The extent of any cyber security insurance FACC had will be interesting.  As with many large data breaches the loss of personal information or as the case is here, money, the reputational damage becomes a significant problem.  And that does not include investigations by the regulators.  The coverage has been excruciating for FACC with Hackers Steal $55 million From Boeing Supplier, Hackers carry out $55m cyber heist from Boeing aerospace parts manufacturer, and $55 million stolen by Hackers from Aircraft Company! just to name a few.  The pithiest covered was by itgovernance in Hackers have stolen €50 million from an aerospace parts manufacturer. Its incredulous tone is entirely understandable providing:

Yes, €50 million.

Aerospace parts manufacturer FACC posted a notice on its website last week stating, “the financial accounting department of FACC Operations GmbH was the target of cyber fraud.” It continued: “The damage is an outflow of approx. EUR 50 mio of liquid funds. The management board has taken immediate structural measures and is evaluating damages and insurance claims.”

Information on the theft and how it occurred is minimal (the above is pretty much it), but my assumption is that it’s wire fraud conducted by a spear phishing campaign. I’m assuming this because it’s not uncommon for financial departments to be tricked into wiring money over to false accounts. In fact, Ryanair suffered a similar attack in which €4.6million was stolen via fraudulent wire transfer. There’s also very few ways to steal €50millon other than by wire fraud, and modern spear phishing is simply an evolution of methods that have been practiced for decades

The stock markets didn’t react so well either, with a 17% drop as of 21/01/2016.

Staggering amount of money

To put into perspective just how large a heist this is, the average cost of a data breach to organisations in 2015 was roughly €3.5million.

I spoke to Alan Calder, the founder and executive chairman of IT Governance, who said: “While the average cost of a data breach is €3.5million, the reality is that some companies get hacked for significantly more – here’s one where the cash loss was €50m, in addition to which is the cost of remediation and reputational damage – and on top of all this is the share price fall. The moral of the story is that you shouldn’t base your planning on the average loss suffered by organisations but on the significant impact a single breach could have on yours.”