We switched to Comdata last summer and use the virtual and physical cards. Back on March 7th my accountant, who is the daily admin of the program, opened an email attachment on an email from a legitimate vendor of ours. However the vendor's email had been hacked and the attachment installed a trojan malware behind the scenes. That malware then installed other malware that either took screen shots or recorded keystrokes, we aren't quite sure what happened. The hacker was able to obtain the admin credentials and log into Comdata's site from another IP address without issue. That weekend the hacker flooded my accountant's email with spam so when she came in on Monday she spent the morning dealing with that. I've now learned that is a tactic hackers use in case Comdata sent an email about the "foreign" access from a new IP address (which Comdata does not do). On Monday, March 11th the hacker logged in again and was able to order a card and ship it to a Days Inn in Sunny Isles, FL. Starting on Thursday the 14th the hacker started at a Subway for $2, then Best Buy for $100, $300, and $400 in gift cards. All went through of course. Then he went to town stopping at Best Buy and Apple stores, and a wine store. Day one's total charges was $42,900, day two was $56,900, and day three was $25,300 for a total of just over $125k.
The first time Comdata alerted us to suspicious activity was Friday night at 7:30pm (after $100k had been charged). Apparently the hacker logged back in as the admin and was able to take the card off fraud hold and resume charging on Saturday. I responded to the risk alert at 1am on Saturday and told them the charges were not ours. The next morning I happened to be in the office working on Saturday and I received another email with new charges being flagged, I responded again that the charges were from a card that wasn't ours and should not be associated with our account. Comdata finally shut the card and admin login down that weekend, but hours later after the hacker was able to charge another $20k.
I investigated all of this thoroughly, hence the reason I have all the details, and although we clearly had some issues on end for allowing it to get started I highlighted numerous issues with Comdata's system that would have prevented or limited the losses. This is what you guys should be aware of (red are my statements to Comdata and in blue some additional commentary).
Fraud Monitoring Red Flags that weren't triggered
(Their excuse for all the clearly fraudulent charge activity not being flagged is because it is a chip card and therefore the velocity and spend activity [e.g. $10k in 40 minutes over 3 transactions in the same Best Buy store] is given a greater security footprint before flagging it as fraud to prevent false flags.)
Ways to stop or limit fraud like this that are not in place
After the internal investigations between us and Comdata they came back and said they are accepting no liability for the loss and we had to pay the full amount. They acknowledged every flaw in their system that I pointed out but hung their hat on the fact that it was a legitimate login that accessed their system. I expected them to have my back when it comes to fraud prevention and detection, and clearly that isn't important to them with glaring security issues like this. We have since filed the loss with our crime insurance policy and are dealing with that but we will have some kind of a loss due to deductibles. Comdata is not willing to pay any part of that and we are now looking for a more secure program, even if it means we lose out on some rebate money. The hassle and cost of dealing with fraud isn't worth it. At the very least those if you with Comdata should be looking at that cardholder report to ensure nobody shows up who shouldn't. As I told Comdata, if this hacker figured out how to get $125k out of this fraud it is a guarantee that they will try again and have probably posted a "how to guide" somewhere on the dark web. We will not be the only company to be hit by this. Be careful.
Yes, thanks for sharing Brad. That is very disappointing that Comdata did not make this right. I had a fraudulent charge issue with Comdata that was also denied by them, although our incident was not as blatant as yours as far as outside criminal activity (ours was initiated by an employee/manager fraudulently, the employee initiator factor being the reason for denial). FYI, the employee/manager who initiated our fraudulent charge was immediately fired and police contacted, who have subsequently arrested and charged the employee, no matter to Comdata that these actions occurred.
Your situation seals my decision to not expand our use of Comdata services.
Chief Financial Officer
Main: 404.361.5154 | Fax: 404.965.9355
PO Box 45717 | Atlanta, GA 30320
Home of the Connection Café.
100 Village Blvd., Suite 200, Princeton, NJ 08540Phone: 609-452-8000 | 888-421-9996 | Fax: 609-452-0474 | firstname.lastname@example.org