This is how a hacker stole $1.3M USD from Warner Bros

Information security incidents against third-party services have sufficient potential to affect other companies. Warner Bros has revealed that the negligence on an accounting firm allowed an electronic fraud incident; according to reports, the media and entertainment conglomerate claims that the accounting company allowed a cybercriminal to divert $1.3 million USD to an unknown account.

The firm involved is Dan Schwartz CPA, based in New York. Warner Bros has already filed a lawsuit in a White Plains federal court.

According to the lawsuit, “the accounting firm did not have the means to secure its networks, systems or mail servers in the event of an information security incident, being exposed to unauthorized access and hacking.” The media giant claims that its emails were exposed, so threat actors managed to access financial information from the company.

In early 2019, Warner Bros acquired Entertainment Merchandise NY (EMNY), for which Schwartz already served as accounting. In the lawsuit, Warner’s representatives mention that the company decided to continue hiring Schwartz’s accounting services, at least temporarily.

Soon after, an unidentified threat actor gained access to Schwartz’s networks or email systems, using an IP address located outside of American territory. According to the lawsuit, the hacker detected an exchange of emails with financial information from both parties, as well as finding information about an EMNY savings fund, which became Warner’s property after the purchase.

Warner authorized Schwartz to transfer the assets from the savings fund to another account at Bank of America. The hacker detected the conversation and, by sending phishing messages, tricked Schwartz staff into transferring the money to another account in Wells Fargo. The savings fund consisted of $1.3 million USD; According to Warner Bros, the accounting firm did not verify the source of the malicious email or confirm the request for the transfer, which facilitated the completion of the scam.

According to an information security firm, Warner also filed a lawsuit against Schwartz for breach of contract, in addition to the first negligent charge.  The International Institute of Cyber Security (IICS) mentions that the transaction could not be traced, so the investigation is still ongoing with the aim of ruling out the possible involvement of any Schwartz staff member in the scam.