Hacked small-businesses often have no place to turn
Participant hold their laptops in front of an illuminated wall at the annual Chaos Computer Club (CCC) computer hackers' congress, called 29C3, on December 28, 2012 in Hamburg, Germany.
It was March 2010, the height of the financial crisis, and the housing market was in the dumps. Michelle Marsico, who owns Village View Escrow south of Los Angeles, was having a slow day. So slow, in fact, that she didn’t bother logging on to check her bank account, because she didn’t have any deposits coming in or any money going out.
Turns out, she was wrong.
Two days later, when she did log on, she saw $465,000 was missing from her firm’s bank account. She found out later, she was the victim of hackers.
“I just kind of went into shock,” she says. “And then I thought, well, I'm going to call my bank [and] they can put the money back in.”
Wrong again. Unlike personal checking and savings accounts, business accounts are not protected from hackers. One malicious email or bad attachment is all it takes for hackers have access to passwords and bank account numbers.
“Small mom-and-pop shops do not understand that banking online comes with serious risks,” says Brian Krebs, a cyber-security expert and blogger. He adds that many small companies get hacked so often, they have go out of business.
And lots of businesses don't want to talk about getting hacked, for fear it will scare off their customers. That makes reliable numbers on this kind of cybercrime hard to come by. According to the FBI, in 2010 it was investigating more than 400 of these crimes, and about $85 million had been lost.
“The problem is a lot of these financial institutions are offering online banking services," Krebs says, "but they haven't changed the way they do security in ten years.”
Small businesses that suspect their banks are at fault and want to sue can have a tough time finding representation, says Julie Bonnel-Rogers, an attorney at the Dincel Law Group in San Jose. “I'm receiving calls from people in the oil industry," Bonnel-Rogers says. "I've had people call me who are in the private airline industry. I've had people call me that are in the construction industry.”
She usually tells potential clients not to pursue a lawsuit, because the cases are tough to win and because attorneys’ fees are usually not part of any ruling. Plus, most small businesses can't afford to pay a lawyer up front. "Who has money for a lawsuit against the Goliath that's the financial institution, when you've just been hit with cyber-theft," Bonnel-Rogers asks. "A small business can't."
But she did represent Marsico, as a favor, when Marsico sued Professional Business Bank. The case ended in a settlement that Marisco says she has agreed not to talk about. The bank did not return a phone call.
Marsico says going public about her company being hacked cost her some business.
“The reason why I even share my story, which was at risk of my business, is because we have to stop this,” Marisco says.