Investigative reporter Brian Krebs reports that TEC Industrial, a Tennessee-based industrial maintenance and construction company, is suing TriSummit Bank over a May 2012 cyber attack during which hackers stole $327,804 from TEC’s accounts.
Despite an established system under which all transfers had to be approved by phone, TriSummit apparently transferred $327,804 to the hackers without TEC’s approval. According to Krebs, the hackers likely gained access to TEC’s bank account via password-stealing malware.
“Plaintiff avers that on May 10, 2012, Defendant improperly honored fifty-five separate ACH drafts on Plaintiff’s operating account in amounts ranging from $550 to $11,000, all of which totaled $327,804,” the complaint [PDF] states.
Among the many indications that the drafts were likely fraudulent, the complaint notes, were the fact that they took place on a Wednesday as opposed to TEC’s normal pattern of uploading drafts on Tuesdays; the 55 drafts weren’t typical of TEC’s usual weekly payroll, either in the number of drafts or the amounts; the banks to which the drafts were routed weren’t representative of TEC’s employees’ banks; and the account names listed for the transfers didn’t match a list of TEC employees to which TriSummit had direct access.
The complaint states that TEC was only made aware of the theft when Krebs called the company on May 10, 2012 to say that the company’s accounts may have been hacked by “persons who were located in Russia, the Ukraine or somewhere overseas.”
While TriSummit was able to recover approximately $135,000 of the stolen funds, TEC lost the remaining $192,000.
In its complaint, TEC accuses the bank of negligence, breach of contract, gross negligence and fraudulent concealment.
Krebs suggests that if the lawsuit goes to trial, it could set a clear standard that would make it both cheaper and easier for cyberheist victims to recover losses. Under the Uniform Commercial Code (UCC), businesses are currently unable to recover any more than the amount stolen, meaning that any litigation fees remain the business’ responsibility.
“We’re still seeing lawyers who are hunting for their best argument in terms of financial recovery, but what they’re really searching for is a way to get this out of the UCC and out of contract law, because under those you only get actual damages,” John Marshall Law School adjunct professor Charisee Castagnoli told Krebs. “And there’s really no way under the UCC and contract law theory to apply an economic recovery that will be an incentive for banks to change their behavior.”
Eric Chiu, founder and president of HyTrust, said by email that companies need to understand that cyberheists like this are a real threat. “Why would anyone want to break into a vault at a bank when they can hijack an employee’s online banking session and route money to accounts across the world? Organizations need to get serious about security to ensure that appropriate access controls as well as monitoring and alerting are in place,” he said. “In addition, automated approvals such as the two-man rule should be mandated for transactions above a certain amount or dangerous operations.”
And RedSeal Networks chief evangelist Steve Hultquist said by email that this incident underscores how crucial it is for businesses to maintain end-to-end security. “Virtually every business must be available on the Internet, and protecting transactions and customer data is paramount,” he said. “Executives must be asking their teams to measure the risk they have of cyber attack, to frequently report on the improvements made, and to require an ongoing review of the compliance of their technology infrastructure.”