The media is obsessed with the word “hacker.” It’s become something of a digital boogeyman, conjuring up images of hooded teenagers bent over keyboards in rooms full of computers and their constituent parts. When one of their elusive number strikes at the corporate world, their skills are discussed in nonspecific and vaguely threatening terms — they bypass, they slip through, they disable security systems.
So, why is it that these super-skilled cyberthieves didn’t even break out their passcode generators when they stole $3 million from Mattel? Where were all the corporate firewalls when the hackers asked and received the money they never should’ve been sent?
That has to be haunting the halls of toymaker Mattel’s headquarters now that Associated Press has broken news of an incident that began April 30, 2015 — a month after Mattel’s then-new CEO Christopher Sinclair had taken over the top spot in the organization. The story goes that an anonymous financial executive received an email from Sinclair requesting clearance for a $3 million wire transfer to a bank in China to settle the bill for a vendor’s services. Mattel’s corporate policy on funding transfers requires approval from two executive-level managers, which the presence of the unnamed financial exec and Sinclair’s email imposter seemed to satisfy.
Reportedly “eager to please her new boss,” the financial executive in Los Angeles approved the $3 million transfer to the Bank of Wenzhou. It was only a few hours later when the exec casually mentioned the payment to Sinclair in person that Mattel first realized it’d been had, but when it contacted the authorities about the mix-up, the company was told it was out of luck, as well as $3 million.
It just about goes without saying that cybercrime is on the rise in the corporate world. According to IT security firm Beazley, incidents of ransomware in 2016 alone are expected to top the figures from the past two years combined, and 2015 sent 60 percent more data breaches to the company’s breach response services unit than 2014. Mattel wasn’t hit by anything near as sophisticated as a ransomware attack, but that’s just the point: The more companies myopically focus on the perceived high-tech threats, the easier it’ll be for thieves like this to socially engineer their way right through corporations’ front doors.
Hiding Mattel’s actions of simply handing over millions of dollars under the umbrella of a general rise in cybercrime is giving the toymaker and other corporations lax on IT security a big pass. The unidentified hackers didn’t gain access to any systems or bypass internal security measures to “hack” Mattel. It’s inaccurate to call this a hack at all. The person on the other end of the line simply crafted an email that looked convincing and managed to fool the right person at Mattel. If this is an example of sophisticated cybercrime, then every criminal who ever walked through an open door has the lockpicking skills of Harry Houdini.
The story of a corporate executive essentially handing millions over to a faceless swindler is a funny one — made even funnier by the fact that Mattel was able to use the extra time from an extended weekend to liaise with Chinese authorities and freeze the account its money was deposited to before it could be withdrawn and scattered to the aether, AP reported. While it’s sure to cause a few chuckles around corporate boardrooms, it’s far from a happy ending for those same execs who could have the same misconceptions over how hackers sometimes don’t need to hack at all to get what they want.
In the end, Mattel may have been able to get its millions back, but $3 million might not be that steep a price to pay to learn a valuable lesson about IT security in the modern age. Not every data breach looks like somebody typing on a computer from “The Matrix,” and some that could lose companies serious funds could be prevented with a five-minute phone call before hitting “Reply” on a $3 million email.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More