The announcement from FACC reads:
On January 19, 2016 FACC AG announced that it became a victim of fraudulentEarlier FACC noted that they had contact authorities in the matter.
activities involving communication- an information technologies. To the current
state of the forensic and criminal investigations, the financial accounting
department of FACC Operations GmbH was the target of cyber fraud. FACC's IT
infrastructure, data security, IP rights as well as the operational business of
the group are not affected by the criminal activities. The damage is an outflow
of approx. EUR 50 mio of liquid funds. The management board has taken immediate
structural measures and is evaluating damages and insurance claims.
Today, it became evident that FACC AG has become a victim of a crime actThis announcement had a real world impact on FACC's stock price, although the stock is rebounding some this morning.
using communication- an information technologies. The management board has
immediately involved the Austrian Criminal Investigation Department and engaged
a forensic investigation. The correct amount of damage is under review. The
damage can amount to roughly EUR 50 million. The cyberattack activities were
executed from outside of the company.
|FACC Stock Graph|
Although details on the exact mechanism of theft are light in this case, at Rendition Infosec, we predict that the initial intrusion vector was probably phishing. We frequently see fraudulent invoices sent to companies, many of which are paid. These attacks (usually for smaller dollar amounts than seen with FACC) are often paid and then only discovered later during an audit.
With FACC's misfortune in the news, today would be a great time to reinforce phishing awareness to your employees. Don't think it can't happen to you too. If you don't have a phishing or general infosec awareness program already in place, contact me and I'll be happy to help you set one up using proven techniques used across many of our clients.