Security lessons learned from the whale and breach
No doubt along with millions of others, I have many happy memories as a child of visits to the American Museum of Natural History in New York City, being amazed at the iconic blue whale that hangs from the ceiling. The museum is a cultural icon, established in 1869 by (among others) J.P. Morgan and Teddy Roosevelt’s father and sporting a governing board today that includes Tina Fey and Tom Brokaw. With a staff of many hundreds, an endowment of $650 million and a $200 million operating budget, the museum touts itself as “one of the world’s preeminent scientific and cultural institutions.” No argument here.
In spite of its size, reputation and presumed sophistication, in its June 2015 Form 990, the museum had to disclose that it had lost $2.8 million to an “e-mail phishing incident.” Details are sketchy, but the museum reported it was satisfied this was not an inside job.
For a large and sophisticated organization to lose $2.8 million takes e-mail scam to a whole different level. The old saying that a man with a briefcase can steal more money than a man with a gun is now obsolete; a person with a laptop is more dangerous still and the crooks don’t even need to dress up in a suit. While details are not available on exactly what happened, someone must have spent a great deal of time researching and concocting this scheme. It helps drive home this point: e-mail is not a secure means of communication (as if we needed it illustrated any further following the most recent presidential campaign).
As far as how an e-mail system could be compromised, that is essentially a moot point. If a single employee clicks on the wrong link of a website or e-mail, it may well compromise an entire network. A friend of mine who worked in the defense industry told me his company had found viruses on blank CDs immediately after they were removed from their packaging and that was in the 1990s. In the 2000s thieves parked a truck with a satellite dish near two Marshall’s stores in Florida, beaming information to a satellite to steal data on over 45 million credit cards. Today you can get your credit card information stolen by walking too close to the wrong person in the mall. That’s just what we know about – what other ingenious unguessed capabilities have been developed?
In theory, your e-mail system could be hacked without your knowledge, the criminals could monitor and bide their time, observing what types of communication occur, looking for whatever funding requests and authorizations might float by, and concocting a very convincing mimicked request.
For financial control, presume that your e-mail system is compromised and build systems around that presumption. If your control system allows for the disbursement of funds authorized only by e-mail correspondence, it should be revisited.
Pete Kennedy is a director at Cover & Rossiter and the head of the Audit practice.