Data breaches lead to a multitude of different costs, both direct and indirect. The immediate financial impact may involve fines imposed by data protection authorities, such as those related to the GDPR. But there are also costs that have a more medium term, indirect impact. In fact, the largest cost from a data breach is the loss of business caused by reputational damage after suffering this kind of cyberincident. However, there are also data breaches that have other financial consequences.

The latest data breach with million-dollar losses

On May 13, Norway’s sovereign wealth fund, Norfund, announced that it had lost $10 million in an “advanced data breach”. In a statement, the fund said that it was “closely collaborating with the police and other relevant authorities” after a “series of events” allowed cybercriminals to steal $10 million  from the organization.

How they pulled off this scam

In the statement, the fund explained that a data breach had given cybercriminals access to information about a $10M loan. Using a combination of manipulated data and falsified information, the scammers were able to impersonate the borrowing institution and divert the funds away from the legitimate recipient and into their bank account.

A Norfund spokesperson explained that “The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content, and use of language. Documents and payment details were falsified.”

The stolen funds were diverted to an account in Mexico that had the same name as the Cambodian microfinance institution that had requested the loan. The theft occurred on March 16, but wasn’t discovered until April 30, when the defrauders tried to get more money from Norfund.

BEC scams: An ever present threat

Although Norfund has not disclosed many details about how the defrauders were able to manipulate communications between the organization and the legitimate recipients of the loan, it was most likely a BEC scam. BEC (business email compromise) use the impersonation of a client or or company executive to get the victim to make a bank transfer to a fraudulent account.

BEC scams are increasingly profitable for cybercriminals. In 2017, this kind of cybercrime caused losses of $676 million in the USA; in 2019, the figure amounted to $1.77 billion, half of all the money lost to cybercrime.

How to avoid incidents of this kind

The cyberincident at Norfund used a combination of tactics to steal $10 million. However, as the organization itself has explained, this incident was made possible by a data breach. The data that your company handles, be it personal or confidential data, must be protected with strict measures to ensure that it is not exfiltrated. Panda Data Control discovers, audits, and monitors unstructured personal data on computers: from data at rest, to data in use and data in motion. This way, if anyone tries to carry out any actions on personal data or tries to steal it, you will be notified.

BEC scams always start with an email. In fact, email is the gateway to most cyberthreats today. In light of this situation, it is essential to educate employees  about the importance of being prudent when it comes to receiving emails; they must never open emails or attachments from unknown senders.

These scams are a threat that continues to grow, and can cause a company serious economic losses. By following these tips, you can ensure that your company doesn’t become the next victim.