All eyes are keenly watching how the Kingsport based firm’s case against its bank over a cyberheist will turn out. A cyberheist targeting an industrial and construction firm left it with a loss of $327,000. The firm is now suing its bank to recover the stolen money. In its suit, the firm alleges that the bank was negligent and even breached their mutual contract.
Tennessee Electric Company (now called TEC Industrial) is based in Kingsport, Tennessee. In May 2012, cyber attackers targeted the company and managed to siphon off $327,804 from its corporate account. The criminals used a host of networked money mules to steal from its bank accounts based at TriSummit Bank.
Of the $327k stolen via wire transfer, TriSummit managed to recover $135,000. This meant that TEC was left to mourn a loss of slightly more than $192,000. Sometime after the dust had seemingly settled TEC went to court claiming that the bank had acted negligently, fraudulently even concealed some information and also breached a contract.
Neither the bank neither Tennessee Electric wanted to comment on the issue when contacted. However, in mid 2012, a mule (beneficiary) of thousands of the siphoned monies from TEC’s TriSummit bank accounts admitted to having received the monies.
Through the complaint that Tennessee Electric made, the criminals first attacked on 8 May 2012. The company lays this claim based on the fact that they had tried to log into their account via the bank’s website to upload that week’s payroll to no avail. The company’s controller called the bank to ask why they couldn’t access their account online. The bank informed the company that it’s probably because the site was under maintenance and suggested to the company’s controller to visit the local bank branch to execute the payroll upload physically. The company’s weekly payroll often falls between $200,000 and $240,000. However, this time, the controller uploaded $202,664.47 at the bank.
Cybercriminals who are into cyberheist normally use a malware that captures your password and username and then controls what you see on your browser. Some banks require that customers use a one-time token to login. This rogue software installed by the attackers will intercept your token and then redirect you to a ‘website under maintenance’, ‘down for maintenance’ or even an ‘error page’.
While you are wondering why the website has started behaving weirdly, the attackers are meanwhile using your one-time token together with your credentials to log into your bank account.
This is exactly what happened to Tennessee Electric according to its controller.
The agreement between Tennessee Electric and TriSummit Bank was that after a utility had been paid for, the customer would make a follow up with a verbal confirmation the following day. On May 9th, Tennessee Electric called the bank to confirm on the $202,664.47 payment made the previous day. To the consternation of the firm, the bank had approved a payroll draft of $327,804 which was to be distributed to 55 accounts in U.S. Apparently the bank never called the firm to confirm or verify this payment order before paying it out.
According to Tennessee Electric, TriSummit Bank called on 10th to seek customer’s approval for the fraudulent payment order. This is a whole day after the bank had already made the payment.
According to Tennessee Electric, the laxity on the part of the bank is apparent because it should not have made the fraudulent payment without verbal confirmation from Tennessee Electric. Moreover, TriSummit bank called a day after releasing the money to seek approval for that same payment. As it emerged later, the cyberheist had been conducted by a Russian cyber mob.
What are the implications of this lawsuit?
This lawsuit could determine the future of cyberheist lawsuits. If this lawsuit reaches trial, it might help set a precedent how cyberheist cases will be handled in future. As the trend has emerged, most of these lawsuits are decided in favor of the bank and often the settled is negligible and quiet.
Regulation E was set up to protect a bank’s customers who are using its online services from cyberheists. It reduces the customer’s liability considerably whenever they happen to lose money through unauthorized fraudulent activity in their accounts. However, the customer must notify their bank within 60 days of receiving an account statement which they dispute.
Business entities do not enjoy the protection that individual customers enjoy through Regulation E. The Uniform Commercial Code (UCC), which has been adopted by all the U.S states, seeks to determine when a bank or a business entity is liable in case of a cyberheist. It states that a bank provided that it is following security procedure which is commercially reasonable while providing proper security against unauthorized payment order can process such payment order whether
authorized or unauthorized the client. The bank will, however, need to prove that it accepted the order in good faith and in accordance with acceptable security procedure. It should also have adhered to any other written agreement or special instructions restricting payment of such order from the customer. This will be so if the payment order is issued in the name of the customer.
In many states, the UCC is interpreted such that a business which has been attacked cannot hope for more than what was stolen from it. In short, it rarely makes economic and legal sense for a business to sue a bank especially if the amount is not much. This is because the litigation fees could easily amount to the stolen money or even surpass it.
We can only wait and see what will transpire in this case. At the same time, it is worth noting that UCC together with other legal standards and procedures are making it impossible for businesses to recover nay monies stolen through cyberheists.