Who is responsible for the damage in a cyber attack?

A few weeks ago, the Central Netherlands court made a striking decision. Bol.com and Brabantia came into conflict after a hacker pretended to be an employee of Brabantia. The criminal made a request to change the account number that Bol.com used to transfer the money from sold products. Bol.com accepted this request and changed the account number. In the period that followed, €750,000 was transferred to the criminal. 

""Please note that as of today we have a change in our bank account details for incoming payments. From now on, all incoming payments must have been transferred to our branch account in Spain. We would appreciate if you could update your details"."

The judge ruled that Bol.com lacked healthy suspicion, because the e-mail was drafted in poor Dutch and the request to change the Dutch account number to a Spanish one was not logical for a company established in the Netherlands.  

Striking case 

These kinds of issues are more common in the digital domain. It is not always clear who bears the costs that follow a cyber attack or fraudulent action. In this case, a Brabantia employee's account was hacked, causing the email to come from a legitimate email address. According to the court, the fact that Brabantia did not have its digital security in order, as a result of which Bol.com had received the request from a trusted e-mail address, was not sufficient to shift liability.  

How do you prevent this? 

A cyber attack involves a lot of damage. Aside from research costs, ransoms and the cost of shutting down your business, the media attention and additional reputational damage can cost an SME. It is even more sour if you also end up in a liability conflict with, for example, your IT supplier. Shouldn't he have protected you from that ransomware attack? And do you actually know whether your IT supplier is properly secured?  

The above case could have been prevented by having the basic security measures in place. For example, Brabantia should have enforced two-step verification on its employees, so that the hacker could not have gained access to the employee's account. At the same time, Bol.com could have made employees aware of cybercrime and what to pay attention to in such cases with training.  

Tips 

  • Enforce two-step verification on every application, tooling or website used in the company;  
  • Train your employees regularly on recognizing phishing emails and fraudulent requests;  
  • Make agreements with your IT suppliers  about what they offer in the field of security, where the responsibilities lie and how action is taken in the event of an incident;
  • Take out cyber insurance that protects your company against the high costs of a cyber attack.

With an all-in-one package from Eye you protect your company against cyber attacks. We monitor your systems and cloud environments for suspicious traffic, train your employees with phishing simulations and advise you several times a year. Read more about affordably securing your business here or request a free consultation right away.

Published on May 11, 2021

Related articles

Show all