Computer hackers broke into MECA's computer and payroll systems last month and stole $217,000, according to a computer security blogger who detailed the crime in an online post. The Metropolitan Entertainment and Convention Authority on Thursday acknowledged that it was a victim in July of what it called an "Eastern European based cyber scheme." But the agency that runs the CenturyLink Center Omaha and TD Ameritrade Park declined to discuss the case in detail.
Although $217,000 was stolen, MECA reportedly was able to reverse a $147,000 fraudulent transfer, leaving $70,000 unrecovered. In a statement Thursday to The World-Herald, MECA said it has cybercrime insurance that should cover the loss. However, the organization's chief financial officer told security blogger Brian Krebs that MECA faces a $25,000 deductible and the expense of a computer forensic investigation.
In its statement, MECA said it has been in close contact with the FBI, and the local FBI office said it is investigating.
"This was an important lesson to us about vulnerability in the online world," MECA said. "We have changed several online banking security procedures."
In a post this week on his Krebs on Security blog, Krebs, a former Washington Post reporter who tracks Internet and computer security issues, quotes Lea French, MECA's chief financial officer. She says the problems started when an employee opened an email attachment infected with a virus that steals passwords.
Kreb's post says MECA had refused many security protections offered by its bank.
French told the blogger that had those protections been in place, the theft wouldn't have happened. "We thought that would be administratively burdensome," French said in the post, "and I was more worried about internal stuff, not somebody hacking into our systems."
After gaining entry through the infected email, the hackers used MECA's own online banking credentials to add at least six people, so-called money mules, to the payroll, Krebs' post said. The hackers, who French said appeared to be familiar with the payroll system, "wasted no time" setting up fraudulent transfers, according to the blog post.
Said French, "They knew exactly what they were doing. ... They appear to be very good at what they do."
The money mules, who were recruited through fraudulent work-at-home offers, received the transfers and, knowingly or not, helped launder the money, according to the post. The article says $9,000 was sent to a Florida man, who then transferred the funds to three people in eastern Europe. The post says MECA has since added security features to its online banking account.
MECA, in its statement, said it retained a national security technology firm and ran an extensive forensic analysis that determined that the incident was isolated to one computer. No personal information about employees or guests was compromised, MECA said.
"All of this is a day late and a dollar short, I guess," French says in the blog post. "Why isn't someone shouting on the rooftops about this fraud?"
-News Source (Omaha)
