Patco Construction Company had been a satisfied commercial client of People's United Bank subsidiary Ocean Bank for more than 20 years before a hacking incident shook its confidence to the core in May 2009. After a Zeus malware variant allowed cybercriminals to walk away with more than $300,000 worth of Patco assets in a matter of days, the firm decided to pursue legal action. After three and a half years and a series of appeals, People's decided to reimburse its client's losses in a settlement that is already echoing across all corners of the financial services sector.
According to Wired, the anomalous activity took place during a one-week period which saw nearly $600,000 worth of transfers authorized via six fraudulent transactions. Patco was able to intervene midway through and notify the bank, allowing administrators to block approximately $240,000 in illicit exchanges. However, the construction company was informed that they would not be reimbursed for the remainder of their losses.
Naturally, a team of data security experts were called in to trace the anatomy of the breach and help determine who may have been at fault – in both the administrative and legal sense. According to Wired, the intruders were able to penetrate the Patco network and swipe banking credentials from employee computers. After that, the cybercriminals sat back and waited for accounts to fill before making a series of big-ticket transfers to external accounts.
Although it would seem as though Patco's intrusion prevention systems – and employee naivete – were the primary culprits, forensics teams discovered that the bank's customer authentication protocol was an additional source of vulnerability.
The transfers were flagged as "high risk" on account of their timing, geography and monetary value, according to Wired, but those alerts were ignored and the transactions were approved without any notification being provided to Patco. The bank maintained that its responsibility only extended to verifying the authenticity of users' login credentials. Unfortunately, those accurate account passwords were being entered by thieves.
Feeling hard done by this turn of events, Patco decided to pursue legal action against Ocean Bank for what it perceived to be a lackluster data protection protocol. However, irate executives were not immediately aware of how their status as commercial banking customers may work against them.
Unlike personal accounts, which have their assets protected under federal law, commercial accounts are only afforded comparable security on a state level. As Computerworld pointed out, Patco's only recourse was to sue the bank for noncompliance with Uniform Commercial Code (UCC) regulations which define reasonable expectations of client security. The construction company suggested that the company should have realized that the account activity pattern was against type and, at the very least, have notified executives before approving such large-scale transfers to unfamiliar, international accounts.
Judges ultimately sided with Ocean Bank in a May 2011 ruling, insisting that the financial institution's inaction was disappointing, but not criminally culpable. Encouraged by the court's concession that banking administrators could have done more to detect the fraudulent behavior, Patco decided to take its case through the appeals circuit.
Last week, Patco's perseverance finally bore fruit. People's United Bank has agreed to a settlement that will reimburse the construction company for its $300,000 in lost assets, as well as $45,000 in interest.
"This case says to banks and to commercial customers … that there are circumstances in which the bank cannot shift the risk of loss back to the customer, and we're not going to assume that security procedures are commercially reasonable just because the bank has a system they say is state-of-the-art," Patco's lead counsel Dan Mitchell told Wired.
Data Security News from SimplySecurity.com by Trend Micro