A lawsuit filed in Tennessee earlier this month has resurfaced questions about a bank's responsibility in protecting customers against cyberheists.
TEC Industrial Maintenance & Construction (formerly Tennessee Electric Company) is seeking to recover about $193,000 that was stolen from its bank account by a gang of Russian cyberthieves in May 2012.
In a lawsuit, the company blamed its financial institution, Trisummit Bank, for the loss and claimed the theft happened only because the bank failed to follow agreed upon security practices. The lawsuit accuses TriSummit of negligence, breach of contract and fraud.
Details of the lawsuit were first reported by security blogger Brian Krebs on Wednesday.
The TEC case is similar to several lawsuits in recent years involving banks and corporate victims of online theft.
Like the others, the theft at TEC appears to have happened after hackers stole the login credentials used by the company to access its bank account.
The hackers then used that access to illegally initiate wire transfers to as many as 55 accounts around the country. The transferred amounts ranged from $500 to $11,000 and totaled more than $327,800.
After the fraud was discovered, TriSummit Bank managed to recover about $135,000 of the illegally transferred funds, leaving TEC short $193,000. The bank gave TEC the money that it recovered, but did not compensate the company for the full amount that was stolen.
In its lawsuit, TEC blamed TriSummit for the loss.
The company claimed that TriSummit should have spotted the fraudulent transactions because they were highly unusual and involved sums and bank accounts that were completely untypical for TEC.
The lawsuit also noted that the bank typically would call TEC to verify wire transfers before executing them but in these cases did not do so.
Neither TEC nor TriSummit responded to a Computerworld request for comment.
In the other cases, banks have argued that they cannot be held responsible if someone illegally uses a customer's valid login credentials to initiate wire transfer requests. They have argued that it is the customer's responsibility to adequately protect the username and password to corporate bank accounts.
Courts have been split on the issue. In June, the U.S. Court of Appeals for the Eight Circuit ruled in favor of the bank in a case involving an escrow firm that suffered a cybertheft similar to the one that hit TEC.
The appeals court held that the bank had acted in good faith when it executed several money transfer orders that appeared to come from the escrow firm but in fact were initiated by crooks. The court rejected the escrow firm's claims that the bank should have spotted the fraudulent transactions, and instead said the theft occurred because the firm had failed to follow the bank's security advice.
However, the Court of Appeals for the First Circuit ruled in favor of the victim in a similar case involving a Maine-based construction company. In that case, a three-judge panel overturned a lower court ruling and held that the bank was responsible for the breach because it had failed to implement reasonable security measures. The two parties later settled the case.