Bank sues victim of $800,000 cybertheft
In twist, Texas bank sues business customer, claiming cybertheft not its fault
Computerworld - A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.
The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.
In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.
Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.
PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money.
The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. "PlainsCapital accepted the wire transfer orders in good faith" and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.
The complaint itself is somewhat unusual in that it doesn't seek anything specific from Hillary. Rather, all it asks is for the court to certify that its systems are reasonably secure.
In an interview with Computerworld today, Troy Owen, Hillary's vice president of marketing, disputed the bank's claims. Owen insisted that it was the bank's failure to implement strong authentication and fraud-detection measures that had enabled the theft.
"The bank is doing what their attorneys are telling them to do, which is to deny everything," Owen said. "They obviously can't just come out and say they know their systems are insecure, so they are trying to bully us with a lawsuit."
Owen today claimed that Hillary had no idea how or when its online banking credentials might have been accessed by the cyber thieves.
While the transfers were initiated using valid log-in credentials, there were several details that should have alerted bank authorities that all was not right, Owen said. The biggest red flag should have been that the money was being transferred to foreign destinations, which had never happened before with Hillary's account, Owen said.
The fact that dozens of transfers were made in a two- or three-day period, many of them involving sums that were outside the normal range of transfers initiated by Hillary, should have been another clue about fraudulent activity, he said. Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500. Each of the transfers was also made to a different account, which was highly unusual. Hillary's typical money transfers involve the same limited set of accounts, Owen said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts