If It Can Happen to the Milwaukee Bucks

The recent cyberattack on the Milwaukee Bucks has garnered quite a bit of media attention. Players and staff of the team had their 2015 W-2 records compromised after a team employee sent the records to an email address that appeared to come from the team President, Peter Feigin. This is yet another example that no company is immune to the threat of hackers, but certain plays can be practiced to guarantee you don't lose the cyber liability game.

What Happened?

A Bucks employee received an email that appeared to be from the team president asking for all company W-2s for 2015. Since the request appeared to legitimately come from the team president, the staffer responded to the email with the information requested. Those records included player and staff financials, such as names, addresses, date of birth, Social Security numbers, and compensation packages.

However, the email was not from Feigin. Instead, it was sent from a hacker posing as Feigin (likely using his name and email signature).

The data breach occurred in April, but unfortunately was not discovered until recently.

How Are the Bucks Moving Forward?

The Bucks reported this incident to the IRS and FBI immediately after being discovered. Any players or staff who were involved in the breach will receive three years of credit monitoring and also identity restoration services - for life. Various office staff members will also receive additional awareness training. These expenses can become significant, and do not include any information technology services or upgrades the team has incurred since the breach.

Are You Covered?

Previously, many small companies felt as if a cyber breach simply would not happen to them, but that is not the case today. For example, a Milwaukee area manufacturer recently experienced something similar. There, an employee received an email from the “CEO” requesting a wire transfer to a “vendor.” The request seemed legitimate, so the employee went forward with the wire transfer, only to find out that the email was not actually from the CEO but rather, a hacker.

Because of this increased risk, many companies are opting to purchase cyber liability coverage and even increasing limits if they are already insured. However, not all cyber-related attacks may be covered unless additional coverages are purchased. For example, often times a cyber liability policy does not cover social engineering (the emails received by Bucks or manufacturer employee). Making sure you understand the coverage you purchase, and seek additional insurance if necessary, is crucial to ensuring your company can recover if ever attacked.

Tips to Winning the Social Engineering Game

Have policies and procedures in place that comply with HIPAA and other laws addressing the disclosure of health-related or personally identifiable information.
Set security protocols in place to be used when dealing with business partners, vendors, employees and customers. For example – if a wire transfer is requested, have a policy in place and enforced that requires phone verification.
Educate ALL employees on this type of scam, and have them report red flags immediately. It may also make sense to engage an information technology consultant to send “test” emails to employees to see if they follow protocols in place.
If you receive a link to an unknown site, do not click it even if it seems to have been sent from one of your contacts. Oftentimes, the email may appear to have arrived from one of your contacts, but if you look closely you will see the email address is not legitimate. Always remember, if it looks suspicious, it most likely is!

Making sure your company is safe from fraud is the first step to ensuring a game winning strategy. Having the correct coverage in place completes the play.