Massachusetts Bay Insurance Company (MBIC) has formally defended its rejection of BitPay’s claims demanding compensation for a December 2014 hacking in which the Bitcoin wallet and merchant service provider lost 5,000 BTC ($1.85 million).
The hacker first gained access to the computer of BTC Media’s CEO David Bailey and then to the Google account of BitPay’s CFO Bryan Krohn. Posing as Krohn, the hacker requested authorization from BitPay CEO Stephen Pair and executive chairman Tony Gallippi to send multiple bitcoin payments to an address claimed to belong to SecondMarket, a client of BitPay’s.
BitPay claimed the maximum coverage of its policy, $1,000,000, less the $50,000 deductible. The insurer rejected the claim, arguing that the loss was indirect and did not involve property on BitPay’s premises.
Changing the Face of AML with Self Service AnalyticsGo to article >>
BitPay subsequently sued the insurer for its claim amount, plus damages, interest and court fees in the District Court for the Northern District of Georgia, Atlanta Division. It also alleged breach of contract and bad faith.
In its response, MBIC rehashed earlier arguments that the policy in question technically does not cover losses of this nature, according to court documents obtained by CoinDesk. Because the executives carried out the payments themselves- not the hacker- they do not constitute fraud as defined in the policy. BitPay fully authorized the payments, only that it was supposedly tricked into sending them to the wrong payee. In theory, therefore, BitPay may not have been defrauded.
The case further demonstrates how inadequate internal controls against e-mail and phishing attacks can be more disastrous than theft by brute force. You can be your own worst enemy by invalidating risk prevention measures.
MBIC further requested that the court dismiss BitPay’s charges of bad faith and breach of contract because the insurance contract in question was irrelevant to the incident.