Construction company, bank, settle dispute over $345,000 cyber heist
- 27 November, 2012 20:08
A Maine construction company that sued its bank after losing $345,000 in an online banking heist has settled its dispute after a protracted legal battle that raised questions about the bank's responsibility in protecting customer accounts against cyber fraud.
The settlement between Patco Construction and People's United Bank (formerly Ocean Bank) comes about four months after the U.S. Court of Appeals for the First Circuit faulted the bank's security measures at the time of the theft and advised the two sides to work out a compromise.
Bankinfosecurity.com, which was the first to report the settlement, quoted Patco's co-owner Mark Patterson as saying that the bank has agreed to reimburse the company's losses from the theft. No other details of the settlement were released.
Court records show that the two sides agreed to dismiss the case on Nov. 19. Neither Patterson nor People's United responded to requests for comment on the settlement.
Patco, a family-owned construction company in Sanford, Maine, sued Ocean Bank in 2009 after online crooks believed to be operating in Europe siphoned close to $590,000 in a series of unauthorized Automated Clearing House (ACH) transfers.
About $243,000 was later recovered after the fraud was detected. Patco sued Ocean Bank for the remaining money claiming that the theft was the result of the bank's failure to implement reasonable security measures as defined under the Uniform Commercial Code (UCC).
The lawsuit charged Ocean Bank with negligence and breach of contract for failing to detect and stop the unauthorized ACH transfers even though they were clearly fraudulent. Patco claimed in its lawsuit that the bank should have noticed that the fraudulent transfers were for much higher amounts than the company's usual transactions and were being sent to an unfamiliar overseas bank account.
Patco also faulted Ocean Bank for not implementing stronger authentication mechanisms, such as token-based authentication and out-of-band verification, which many banks were using at the time.
Ocean Bank, for its part, blamed Patco for the loss. The bank said the thieves were able to steal the money only because Patco had allowed them to gain access to the username and password the company used to log in to its commercial banking account.
Ocean Bank insisted that it had processed the ACH requests in good faith after it had verified that the proper IDs, passwords and answers to challenge response questions were being used to conduct the transactions.
In a ruling in May 2011, a Maine Magistrate sided with Ocean Bank and recommended that the U.S. District Court in Maine grant the bank's motions for a summary dismissal of Patco's complaints.
The judge disagreed with Patco's claims about the bank's responsibility for the theft and held that it was Patco's failure to adequately protect its login credentials that had allowed the thieves to steal the money.
However, the judge conceded that Ocean Bank could have done a better job detecting the fraud. He also ruled that the bank had provided clear notice to Patco of its online authentication measures and security controls as well as the extent to which it could be held liable for any mishaps.
On appeal, the First Circuit Court of Appeals in Boston earlier this year overturned that ruling and held that the theft resulted because of Ocean Bank's poor security measures. A three-judge panel at the appellate court ruled that the bank failed to implement commercially reasonable measures to properly authenticate users during ACH transactions. The court also faulted the bank for failing to monitor for suspicious transactions or for altering customers about such transactions.
At the same time, the court held that more hearings were needed to determine how much responsibility Patco should bear for failing to protect its login credentials and urged the two sides to work out a compromise.
The case is important because it was one of the first to raise questions about a bank's responsibility to protect customers against fraudulent ACH transfers. Over the past few years hundreds of small businesses, school districts and municipalities have been victims of the same kind of theft that hit Patco. Both the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have repeatedly warned small businesses about the problem and noted that hundreds of millions of dollars have been siphoned out of the country in the past few years in this way.
The settlement still leaves unanswered the question of who should be responsibility for such breaches, said Avivah Litan, an analyst at Gartner. It does not throw light on how much protection companies have under the UCC in such circumstances, she said.
"I think the settlement proves that it's worth the banks' while to prevent these breaches and account takeovers in the first place," Litan said via email.
"No one really wins in a lawsuit involving account takeover. The banks are better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to," she added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is email@example.com.
Read more about financial it in Computerworld's Financial IT Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Top Words Used in Spear Phishing Attacks to Successfully Compromise Enterprise Networks and Steal Data
- Virtual Patching: Lower Security Risks and Costs
- Leading Through Connections – Insights from the Global Chief Executive Officer Study
- Case Study: Gadens Law Firm Reclaims 22 Hours of Lost Productivity Each Month
- The Need for Data Loss Prevention Now
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Leading Through Connections – Insights from the Global Chief Executive Officer Study
IBM’s 2012 Global CEO study follows face-to-face discussions with more than 1,700 CEOs and senior public sector leaders from around the globe. The findings examine how CEOs are responding to the complexity of increasingly interconnected organisations, markets, societies and governments. For example, almost one-quarter of CEOs say their organisations operate below par in terms of driving value from data. CEOs have expressed frustration about their inability to capitalise on available information. This is because: “The time available to capture, interpret and act on information is getting shorter and shorter.” CEO, Chemicals and Petroleum, United States Given the need for deeper business insight, the best performing organisations are more adept at converting complex data into insights, and insights into action. Download Entire Report Now.
Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks
Enterprises and government agencies are under virtually constant attack today. It is clear that the cybercriminals, nation-states, and hacker activists waging these attacks are growing increasingly sophisticated and more effective in their efforts to steal and sabotage. Why are today’s security defenses failing? In this battle, your security teams are using outdated arsenal - download now to learn more.
Advanced Malware Exposed
This handbook shines a light on the dark corners of advanced malware, both to educate as well as to spark renewed efforts against these stealthy and persistent threats. By understanding the tools being used by criminals, we can better defend our nations, our critical infrastructures and our citizens. This ebook will provide readers with a new understanding of the rapidly developing cyber threat landscape and practical insights into how they can protect their data and computing infrastructures. Download now.