Bank Not Responsible for Letting Hackers Steal $300K from Customer
June 8th, 2011Via: Wired:
A judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer’s online account isn’t responsible for the lost money, saying the customer should have done more to protect the account credentials.
Magistrate Judge John Rich sided with Ocean Bank in recommending that the U.S. District Court in Maine grant the bank’s motions for a summary dismissal of a complaint filed by Patco Construction Company. The ruling was reported Monday by BankInfoSecurity.
The case raises questions about how much security banks and other financial institutions should be reasonably required to provide commercial customers and could set a precedent for liability in circumstances where customer systems are hacked and banking credentials are stolen. Small and medium-sized businesses around the U.S. have lost hundreds of millions of dollars in recent years to such activity, known as fraudulent ACH (Automated Clearing House) transfers.
Patco Construction Company, a family-owned business in Sanford Maine, sued Ocean Bank, which is owned by People’s United Bank, after discovering in May 2009 that hackers were siphoning about $100,000 per day from its online bank account. The hackers had sent a malicious email to employees that allowed them to surreptitiously install the Zeus password-stealing trojan on an employee computer.
After obtaining Patco’s banking credentials and waiting for its account to fill up with money, the hackers used the credentials to initiate a series of electronic money transfers. Nearly $600,000 in transfers were made out of the account before Patco realized it had been hacked. Ocean Bank, after being notified of the fraud, was able to block about $240,000 in transfers. But Patco was unable to retrieve the rest.
Patco sued the bank for failing to notice the fraudulent activity and stop it. According to Patco, the out-of-character transactions triggered alarms inside the bank, but the bank didn’t notice them and let the transfers go through. Patco also accused the bank of failing to implement “best” security practices by requiring customers to use multi-factor authentication.
Research Credit: John Glenn