The lawsuit, filed on Tuesday, claims that Hartford Fire Insurance Co. and HSB Specialty Insurance should cover the stolen funds because the policies they offer cover "exactly" the type of cybercrime committed. However, insurers have raised concerns about whether the quasi-state agency, known as the Special Deputy Receiver, followed specific policies and safeguards designed to prevent such cybertheft, according to court documents.
The Tribune revealed in January that $6.85 million was improperly sent in wire transfers after fraudsters hijacked the agency's chief financial officer's email account and directed subordinates to make the payments.
When the scheme was discovered in July 2021, two wire transfers were blocked, including one directing $2.1 million to Singapore, but nearly $4 million remains unaccounted for, according to the lawsuit.
The special deputy receiver's office is a non-profit organization that collaborates with Gov. J.B. Pritzker's director of the Illinois Department of Insurance to protect creditors and policyholders of financially troubled or insolvent insurance companies. Because the state insurance department collaborates with the receiver, the suit was filed on his behalf.
Employees in the receiver's office were allegedly duped into sending wire transfers from the accounts of two automobile insurance firms under liquidation and overseen by the receiver.
Affirmative Insurance Co. sold personal auto insurance, while Gateway Insurance Co. sold commercial auto insurance. The remaining pieces of Affirmative and Gateway, as well as their policyholders, are referred to as "estates."
According to state officials and a company report, the Affirmative estate initially lost $4.7 million, but approximately $2.9 million has been recovered.
According to a person familiar with the receiver's office's operations, failure to recover the losses could limit the ability to pay claims to policyholders.
The Illinois Department of Insurance, according to Caron Brookens, will not comment on pending litigation. The department previously stated that it was covered by cyberfraud insurance and that recovery efforts were underway.
The nearly $4 million that was lost was lost in five transfers to Bank of China HK Ltd. The transfers began on June 23, 2021, with a $336,364 wire transfer, followed by another for the same amount the next day, according to the lawsuit.
According to the lawsuit, the largest wire transfer that has not been recovered was for $930,000 to the same bank on July 6, 2021.
The scheme was discovered on July 15, 2021, one day after a $2.1 million transfer to Singapore was scheduled. On July 8, a $770,500 transfer to the Bank of China was successfully recalled.
According to an internal investigation, fraudsters first logged into the mailbox of Douglas Harrell, the receiver's chief financial officer, from Dubai on June 17, 2021. Within a few days, the fraudsters forged Harrell's email and began transferring funds.
When the ninth transfer request arrived, the assistant controller contacted Harrell to question its legitimacy, and officials immediately took action to halt as many transfers as possible.
The fraudsters most likely targeted Harrell in a "spear phishing attack." When criminals target high-ranking individuals in a corporation or agency rather than employees across the board.
The receiver stated that an internal report indicated "a significant possibility exits" that Harrell's "email credentials were compromised via his personal phone or tablet," but it is unclear how the phishing scheme began.
Harrell stayed with the receiver for a few months after the cyberattack to assist with the investigation before offering to resign and leaving the agency. He declined to comment on the lawsuit on Friday.
However, Harrell stated in an interview last December that COVID protocols kept workers away from the office, preventing routine face-to-face communication that could have normally stopped the fraudulent activity.
The cybercriminals "controlled my email and gave me directions," Harrell said. "My folks thought I was directing them to invest in a certain way," he explained, and that his superiors had approved the transactions.
Harrell stated that he discovered the erroneous transactions "right away" and "called everybody within two minutes" to meet with senior management, including top technology officials and lawyers, to discuss the matter.
Before the suit was filed, The Hartford noted in a letter to the Office of Special Deputy Receiver that the wire transfer requests were "highly questionable" and violated investment policies.
According to the Hartford letter, following the policies "would have likely prevented the loss."
According to the Hartford response, the receiver's investigation found that the transfers violated policies governing money transfers that can be made without written approval and that "prohibit payments of the nature identified in the fraud."
"However, due to a series of oversights, errors, and what appears to be disregard of... policies and procedures" by agency employees, the "controller's office completed the transfers by the fraudsters," according to the Hartford letter.
According to the Hartford letter, the employees who "made the transfers have indicated that they understood that the transfers were intended to fund investments that they suspected or knew were contrary" to agency policies and procedures but moved the money anyway.
According to Marty Young, Buckle's co-founder and CEO, Buckle Corp. of Jersey City, New Jersey, purchased the charter of Gateway Insurance Co. for $4.2 million in 2020 through a court-supervised auction in Cook County.
The new company did not inherit the Gateway estate's assets or liabilities, giving the new company a clean slate.
According to company officials, as of its September 30 report, the new Gateway Insurance Co. had 20,000 to 25,000 customers across the country, with about 2% of them in Illinois.
According to Buckle, only about 100 of the old company's customers are among the new company's current customers.