Bank files lawsuit against victim of $800,000 cybertheft

Texas bank sues business customer, claiming cybertheft not its fault

A Texas bank is suing a customer hit by an $800,000 cybertheft incident in a case that could test the extent to which customers should be held responsible for protecting their online accounts from compromises.

The incident, which was first reported by blogger Brian Krebs this week, involves Lubbock-based PlainsCapital bank and its customer Hillary Machinery Inc. of Plano.

In November, unknown attackers based in Romania and Italy initiated a series of unauthorized wire transfers from Hillary's bank accounts and depleted it by $801,495. About $600,000 of the amount was later recovered by PlainsCapital.

Hillary demanded that the bank repay it the rest of the stolen money. In a letter to the bank in December, Hillary claimed that the theft happened only because PlainsCapital had failed to implement adequate security measures.

PlainsCapital promptly filed a lawsuit in the U.S. District Court for the Eastern District of Texas asking the court to certify that its security procedures were "commercially reasonable." In its complaint, the bank noted that it had made every effort to recover the stolen money.

The bank sought to absolve itself from blame in the heist by stating that the unauthorized wire transfer orders had been placed by someone using valid Internet banking credentials belonging to Hillary Machinery. "PlainsCapital accepted the wire transfer orders in good faith," and had therefore not breached any of its agreements with Hillary, the bank said in its complaint.

The complaint itself is somewhat unusual in that it doesn't seek anything specific from Hillary. Rather all it asks is for the court to certify that its systems are reasonably secure.

In an interview with Computerworld today, Troy Owen, Hillary's vice president of marketing, disputed the banks claims. Owen insisted that it was the bank's failure to implement strong authentication and fraud detection measures that had enabled the theft.

"The bank is doing what their attorneys are telling them to do, which is to deny everything," Owen said. "They obviously can't just come out and say they know their systems are insecure so they are trying to bully us with a lawsuit," Owen said.

Owen today claimed that Hillary had no idea how or when its online banking credentials might have been accessed by the cyber thieves.

While the transfers were initiated using valid login credentials, there were several details that should have alerted bank authorities that all was not right, Owen said. The biggest red flag should have been that the money was being transferred to foreign destinations, which had never happened before with Hillary's account, Owen said.

The fact that dozens of transfers were made in a two- or three-day period, many of them involving sums that were outside the normal range of transfers initiated by Hillary should have been another clue about fraudulent activity, he said. Some of the transfers involved sums in excess of $100,000 while some were as small as $2,500. Each of the transfers was also made to a different account, which was highly unusual. Hillary's typical money transfers involve the same limited set of accounts, Owen said.

According to Owen, the thefts were enabled by the weak authentication measures employed by the bank. In addition to usernames and password, the only other authentication the bank required was for users to register the systems they used for online banking transactions. However, that measure was clearly not strong enough because in this case, the cyber thieves were able to log in to Hillary's account using systems that were based in Romania and Italy, he said.

A memo supplied by the bank to Hillary shows that the bank received two requests to register computers on the company's behalf just before the attacks. Though the requests appeared to come from a Hillary e-mail address, the computers from which they were sent had IP addresses based in Italy and Romania, he said.

"They never challenged whoever logged in with a different computer. There was never any red flag," Owen said. Though PlainsCapital has claimed that registering the computer represents a second form of authentication, the thefts show that it wasn't a strong enough measure, Owen said.

"They are trying to get the court to say their systems were secure. Their memo is the proof that it wasn't," Owen said.

John Floeter, a spokesman for PlainsCapital, said the bank was unwilling for the moment to comment on anything beyond what it has stated in its lawsuit.

"PlainsCapital believes that the filing speaks for itself," Foleter said, He also e-mailed a statement from bank President Jerry Schaffner who expressed regret over the incident.

"It is evident that the loss incurred by Hillary Machinery, Inc., although regrettable, was not the result of a cyber attack on PlainsCapital Bank."

The case is also unusual because it is believed to be the first bank to launch a pre-emptive lawsuit against a customer victimized by a cyber theft. Several other cases, where companies that have been victims of such thefts have sued their banks for failing to implement reasonable security measures, are pending in courts around the country.

Hillary is still deciding its next steps, but according to its lawyer, Patrick Madden, the company will next file a response asserting that it was the bank's failure to employ suitable security controls that resulted in the theft.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . Follow Jaikumar on Twitter at @jaivijayan , send e-mail to jvijayan@computerworld.com or subscribe to Jaikumar's RSS feed .

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitylawsuittheft

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld (US)
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?