Calif. bank, oil company settle cyber theft suit

Company lost almost $300K due to incident and alleged bank's security features were inadequate


June 20--A Fresno bank is settling a lawsuit filed by a Kern County oil company over the loss of almost $300,000 to a form of cybertheft called "corporate account takeover."

TRC Operating Co. originally sued United Security Bank in 2012 in Kern County Superior Court, alleging that the bank's security features for online banking were inadequate to prevent Ukrainian hackers from using fraudulent electronic wire transfers to steal money from the company's account.

Attorneys for TRC said hackers attempted 12 electronic payment orders, totaling almost $3.5 million, over a five-day span in November 2011.

Under the terms of the settlement announced this month by TRC, United Security will pay TRC $350,000 -- an amount that equals the amount hackers actually stole from the company plus accumulated interest and the maximum amount that TRC could recover if it had won the lawsuit, said Julie Rogers, a San Jose attorney representing TRC.

"Under the California Commercial Code, that's all we're entitled to," Rogers said. "The law (governing business banking) is written to the advantage of financial institutions. If there's an incident of cybertheft or corporate account takeover and a business losses money, the most a company can get is what was lost plus interest -- no punitive damages, no attorney fees."

United Security president/CEO Dennis Woods said the settlement is being paid by the bank's insurance company. The settlement terms also mean neither side admitted liability in the case, but in the suit and in comments last week, each side continued to blame the other for not taking sufficient care to prevent the fraudulent wire transfers.

Rogers asserted that while United Security Bank encouraged the company to use its electronic banking services, the bank should have had a more robust process for ensuring authenticity of the wire transfers to prevent fraud. "All they offered their customers was a user name and a password, nothing more than you'd give a junior high student to have an email account," Rogers said.

The legal question in the lawsuit was "whether the security features that a bank or financial institution have were 'commercially reasonable,' " she added. "We argued that it was not commercially reasonable."

Woods said the bank's position is that the bank's security was adequate, but that TRC's owner was an unwitting victim of a "phishing" scheme, in which hackers use email or a fraudulent website to obtain someone's personal and financial account information. "He gave away his ID to a third party, they got into his computer and stole his identity," Woods said. "They never hacked the bank, but they assumed his identity and processed about a dozen wire transfers."

As part of its electronic banking agreements, Woods said, customers assume the liability for keeping their passwords and other information confidential. "There are conditions that customers agree to abide by, and he didn't," Woods said. "If you don't give away your confidential info and identity, you don't get hacked. ... None of our other customers were hacked."

Dissatisfaction

Neither side was completely happy with the outcome, as the central question of liability for the theft from TRC remains unanswered.

The only firm ruling from a judge in the two years since the lawsuit was filed involved a fraud allegation by TRC against the bank itself -- the only way to try to get around the law's limitation of liability to actual losses. Rogers said that allegation stemmed from an investigation of the wire transfers by a computer security analyst hired by the bank, who concluded that the breach was not the bank's fault. "We believe that report contained many, many omissions," Rogers said. But, she added, that allegation "was rejected by the judge."

Rogers said United Security Bank used what is called "single-factor authentication" -- a secure password -- to make sure that whoever was ordering the wire transfers was, in fact, the customer. She added that in 2005, banking regulators advised banks that single-factor security was "ill-advised" and recommending additional layers to authenticate transactions, "but all that costs a lot of money for banks to offer."

This content continues onto the next page...