Agency that oversees troubled insurance firms for state sues to recover millions lost in cyberattack

A quasi-state agency has filed a federal lawsuit in an effort to force private insurance companies to cover millions of dollars lost last year through “wrongful wire transfers” in a cybercrime with ties to Dubai, China and other foreign countries.

The lawsuit, filed Tuesday, contends that Hartford Fire Insurance Co. and HSB Specialty Insurance should cover the stolen money because policies they provide are for “precisely” the type of cybercrime committed.

But insurers have balked while questioning whether the quasi-state agency, known as the Special Deputy Receiver, failed to follow specific policies and safeguards designed to prevent such cybertheft, according to documents in the case.

The Tribune disclosed in January that $6.85 million was improperly sent in wire transfers when fraudsters hijacked the email account of the agency’s chief financial officer and ordered underlings to make the payments.

Once the scheme was discovered in July 2021, two wire transfers, including one directing $2.1 million to Singapore, were blocked, but nearly $4 million is still missing, according to the lawsuit.

The special deputy receiver’s office is a nonprofit that works with Gov. J.B. Pritzker’s director of the Illinois Department of Insurance and exists largely to protect creditors and policyholders of financially troubled or insolvent insurance companies. The suit was filed on behalf of the director of the state insurance department because that department works with the receiver.

The fraudsters allegedly duped employees in the receiver’s office into sending wire transfers that came from the accounts of two automobile insurance firms under liquidation and overseen by the receiver.

The firms were Affirmative Insurance Co., which sold personal auto insurance, and Gateway Insurance Co., which sold commercial auto insurance. The leftover pieces of Affirmative and Gateway and their policyholders are in what are called “estates.”

The Gateway estate suffered a loss of about $2.1 million, officials said.

The Affirmative estate initially suffered a loss of $4.7 million, but about $2.9 million has been recovered, according to state officials and a company report.

Failure to recover the losses could limit the ability to pay claims to policyholders, according a person familiar with the way the receiver’s office operates.

Caron Brookens, spokeswoman for the Illinois Department of Insurance, said the agency would not comment on pending litigation. The department had previously said it was insured for cyberfraud and recovery efforts were under way.

The nearly $4 million that has not been recovered was lost in five transfers to the Bank of China HK Ltd. The transfers started on June 23, 2021, with a $336,364 wire transfer and then a second one for the same amount the next day, the lawsuit said.

The biggest wire transfer that has not been recovered was for $930,000 to the same bank on July 6, 2021, according to the lawsuit.

The scheme was discovered on July 15, 2021, one day after a $2.1 million transfer was queued up to go to Singapore. That transfer was successfully recalled, as was one to the Bank of China for $770,500 on July 8.

An internal review of the matter showed fraudsters first logged into the mailbox of Douglas Harrell, the receiver’s chief financial officer, on June 17, 2021, from Dubai. Within a few days, the fraudsters faked Harrell’s email and started sending orders to transfer the funds.

When a ninth transfer request came through, the assistant controller reached out to Harrell to question the legitimacy of the request, and officials immediately took action to stop as many transfers as they could.

The fraudsters likely focused on Harrell in what is known as a “spear phishing attack.” That’s when criminals target high-ranking individuals in a corporation or agency rather than trying employees throughout the company.

The receiver said an internal report indicated “a significant possibility exits” that Harrell’s “email credentials were compromised via his personal phone or tablet,” but how the phishing scheme started is difficult to pinpoint.

Harrell stayed with the receiver for a few months after the cyberattack to help address the matter and then offered to resign and left the agency. He had no comment Friday about the lawsuit.

But in an interview last December, Harrell said COVID protocols kept workers away from the office and that prevented the routine face-to-face communication that could have normally stopped the fraudulent activity.

“They controlled my email and gave directions,” Harrell said of the cybercriminals. “My folks thought I was directing them to invest in a certain way” — and that his bosses had approved the transactions, he said.

Harrell said he spotted the wrongful transactions “right away” and “called everybody within two minutes” to address the matter with senior management, including the top technology officials and lawyers.

The Hartford, in a response for its affiliated insurers before the suit was filed, noted in a letter to the Office of Special Deputy Receiver that the wire transfer requests were “highly questionable” and violated investment policies.

Further, The Hartford letter stated that adhering to the policies “would likely have prevented the loss.”

The Hartford response also noted the receiver’s investigation determined the transfers violated policies regulating money transfers that can be made without written approvals and that “prohibit payments of the nature identified in the fraud.”

“However, due to a series of oversights, errors and what appears to be disregard of ... policies and procedures” by agency employees, the Hartford letter said, the “controller’s office completed the transfers by the fraudsters.”

The employees who “made the transfers have indicated that they understood that the transfers were intended to fund investments which they suspected or knew were contrary” to agency policies and procedures but moved the money anyway, the Hartford letter stated.

Buckle Corp. of Jersey City, New Jersey, bought the charter of Gateway Insurance Co. for $4.2 million in 2020 through a court-supervised auction in Cook County, according to Marty Young, Buckle’s co-founder and CEO.

The new company did not take over the assets or the liabilities of the Gateway estate, giving a fresh start to the new firm.

As of its Sept. 30 report, company officials said, the new Gateway Insurance Co. has 20,000 to 25,000 customers, across the country, about 2% of them in Illinois.

Only about 100 of the old company’s customers are among the current customers in the new company, according to Buckle.

[email protected]

©2022 Chicago Tribune. Visit chicagotribune.com. Distributed by Tribune Content Agency, LLC.