Fund administrator SS&C Technologies is being sued by hedge fund client Tillage Commodities Fund for allegedly failing to recognise a cyberattack targeting the client’s bank account and subsequently wiring $5.9 million through six transactions from Tillage’s fund to the hackers.
In the complaint filed in the Supreme Court of the State of New York on 16 September, Tillage claims that SS&C was a party to a fraudulent email scheme that revealed “its egregious lack of diligence and care, bad-faith breaches of contract, gross negligence and willful misconduct in the performance of its contractual obligations”.
The fraud allegedly resulted in the cessation of the Tillage Commodities Fund and losses for its investors.
An SS&C spokesman said SS&C is aware of the lawsuit, adding “[t]he claims in the complaint have no merit. The theft at issue was accomplished through the presentation of valid credentials by unknown parties purporting to act on behalf of the Tillage Commodities Fund. SS&C is not aware of any data breach of the computer systems or accounts”.
Tillage, which launched in 2012, invests in exchange-listed commodities futures contracts and had about $9.26 million in assets under management before the alleged fraud began, the lawsuit said. It had produced investment returns of 14 percent and 7 percent in 2014 and 2015, respectively, according to the complaint.
Connecticut-based SS&C, which also provides fund administration services to private equity firms, sent Tillage a fund services proposal in October 2011, and shortly afterwards entered a contract for fund administration services, Tillage said.
In March, SS&C allegedly began receiving emails requesting wire transfers to be directed to the Hong Kong bank account of a technology company. The emails used domain names that were similar to @tillagecapital.com, but with misspelled variants. Tillage also claims the emails coming from this third party had “awkward syntax and grammatical errors” that were “wholly inconsistent” with more than 210 legitimate Tillage requests for wire transfers.
Of the legitimate requests for transfer it sent to SS&C over the years, Tillage said the largest amount had been $12,410, while one of the fraudulent emails requested $3 million.
SS&C allegedly made six fraudulent wire transfers over a 21-day period to the third party. Tillage also claimed that SS&C failed to contact Tillage immediately when it began investigating the fraud, and presented “misleading and incomplete information” to government authorities to hide its fault.
Tillage also pointed to SS&C’s security protocols described on the fund administrator’s website, which include “check[ing] all mail recipients in every field of a wire transfer request in order to detect irregularities” and using a “Send Secure button” to trace the client’s proper email address. The contract also required Tillage to verify disbursements with the SS&C, the lawsuit said.
Tillage is seeking at least $10 million in damages from SS&C, according to the lawsuit.
This story was updated to add SS&C's comments in the fourth paragraph.