Skip the navigation
News

Bank sues victim of $800,000 cybertheft

In twist, Texas bank sues business customer, claiming cybertheft not its fault

By Jaikumar Vijayan
January 26, 2010 05:14 PM ET

Computerworld - A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money.

The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. "PlainsCapital accepted the wire transfer orders in good faith" and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The complaint itself is somewhat unusual in that it doesn't seek anything specific from Hillary. Rather, all it asks is for the court to certify that its systems are reasonably secure.

In an interview with Computerworld today, Troy Owen, Hillary's vice president of marketing, disputed the bank's claims. Owen insisted that it was the bank's failure to implement strong authentication and fraud-detection measures that had enabled the theft.

"The bank is doing what their attorneys are telling them to do, which is to deny everything," Owen said. "They obviously can't just come out and say they know their systems are insecure, so they are trying to bully us with a lawsuit."

Owen today claimed that Hillary had no idea how or when its online banking credentials might have been accessed by the cyber thieves.

While the transfers were initiated using valid log-in credentials, there were several details that should have alerted bank authorities that all was not right, Owen said. The biggest red flag should have been that the money was being transferred to foreign destinations, which had never happened before with Hillary's account, Owen said.

The fact that dozens of transfers were made in a two- or three-day period, many of them involving sums that were outside the normal range of transfers initiated by Hillary, should have been another clue about fraudulent activity, he said. Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500. Each of the transfers was also made to a different account, which was highly unusual. Hillary's typical money transfers involve the same limited set of accounts, Owen said.



Additional Resources
Options for Protecting against Web Threats
WHITE PAPER
This independent paper from senior analyst Jon Collins at FreeForm Dynamics considers how Web-based security threats are evolving, within the context of IT trends including mobile, home computing and other forms of remote access that could potentially increase the attack surface of the companies. It defines the scale and types of threat, what to look for in a corporate web security solution and compares the different types of technological approach available to companies and the processes that need to be considered for effective protection.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Security White Papers
An Interactive Guide: Bring Your Own Device
BYOD presents significant security and management challenges to IT departments who want to take advantage of the trend, but still protect corporate assets....
Fundamental Principles of Network Security
This paper covers the fundamentals of secure networking systems, including firewalls, network topology and secure protocols. Best practices are also given that introduce...
Protection Against Modern Cybersecurity Threats
Download this case study to learn how this accounting and consulting giant uses Bit9's adaptive application whitelisting to offer employees flexibility without jeopardizing...
A Proactive Approach to Server Security
Learn why security-conscious organizations are taking a more proactive approach to server security. Download this Spire Research whitepaper to understand how you can...
Secure Internet Single Sign-On 101
The rise of online Software-as-a-Service (SaaS) applications has increased the importance of eliminating multiple logins and passwords within the Enterprise via Single Sign-On...
All Security White Papers
Security Webcasts
Live Webcast
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Deduplication Without Compromise
Go inside Quantum's scalable, high-performance, multi-protocol new DXi deduplication appliances, designed to make backup much more effective. Discover how the new future-proof DXi6700...
Director of Disk Products Discusses DXi6700
Discover how the new DXi 6700 series of deduplication appliances provide investment protection and a future-proof feature set, all while delivering fast, scalable,...
Playing Defense: Staying on Top of Your Disaster Recovery Game
When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...
Data Protection and Information Governance
Today, legal hold and information governance are increasingly becoming drivers for data protection. However, few organizations knows what information they have, where to...
Data Protection and Disaster Recovery with iSCSI and VMware
Get this on demand webcast now
All Security Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs