Cybertheft victim gets sued by bank
February 1, 2010 by Valerie HelmbreckPosted in: Compliance, Special Report, cybercrime, e-commerce, online banking
Now here’s what I call customer service gone wild: A Texas bank has decided to sue one of its commercial customers that was robbed by a gang of international cyberthieves.
Seems that the Plano, Texas, based company — Hillary Machinery, Inc. — was targeted by criminals from Eastern Europe and Italy last year. The thieves swiped about $800,000 in 48 hours from Hillary’s PlainsCapital Bank accounts using electronic wire transfers.
While plenty of bank customers have sued their banks after cases like this, PlainsCapital is playing offense in this instance and suing its customer. What do they want? For the court to confirm that their security measures were adequate. That’s it.
The suit, however, has one gaping flaw that perhaps PlainsCapitals lawyers have missed: If their security procedures had been adequate, nobody could have stolen Hillary’s money in the first place.
The folks from Hillary are pointing out all the obvious flaws in the PlainsCapital system — for starters, the fact that computer authorization e-mails came from Romania when Hillary is owned and operated in Texas might have been something of a red flag.
The fact that Hillary’s money transfers were historically restricted to only a few other accounts, and that the accounts receiving transferred funds were foreign might have raised eyebrows at other banking security operations.
Of course the folks who own Hillary want all their money back. So far, about $600,000 has been recovered. But PlainsCapital is denying Hillary’s request for the rest of the cash to be restored to their accounts.
So whose fault is it when the a bank is robbed? The depositor who entrusted the assets to the bank, or the institution that promised to protect those assets?
And how dumb is it for a bank that’s been successfully targeted by online criminals to not only try to blame the victim who happens to be their customer, but to ask for public confirmation that their security was up to snuff — when it so obviously wasn’t?
To read more detail about the heist and the lawsuit, check out the excellent post on the topic by computer security blogger Brian Krebs.
FinanceTechNews.com delivers the latest Finance news once a week to the inboxes of over 150,000 Finance professionals.
Click here to sign up and start your FREE subscription to FinanceTechNews!
Tags: cybertheives, Hillary Machinery Inc., lawsuit, PlainsCapital Bank, security, Texas
February 2nd, 2010 at 4:59 pm
Give me a break. However viewed by the banking community as a bold move to keep from incurring debt it this desperate economy, the bank is just avoiding the inevitable. I for one would remove my accounts from Plains Capital Bank unless someone on the banks board comes to their senses, and right away. Matter of fact even if my company was not involved and just a spectator at Plains Capital Bank I would close my accounts and go elsewhere with assurances that this sort to tactics were not in that banking institutions method of doing business, and get it in writing. End of story. $200k is not worth loosing customers over and Plains Capital Bank should figure that out and quick. Talk about cheep tricks. Is Plains Capital saying they don’t have insurance to cover this, yeah, right…..
February 3rd, 2010 at 11:23 am
What is conspicuously missing from this article is the bank’s entire argument.
The banking system has precise and rigid rules that define who can transfer money where and when. They assign risk of loss. Those rules are the only reason banks are willing to do wire transfer at all, and people such as Hillary Machinery benefit greatly from the availability of wire transfer. So maybe the bank is right and the proper victim of this crime is Hillary, not the bank. I’m not going to assume otherwise without any facts.
In fact, it sounds like Hillary isn’t even really disputing the basic rule that the loss is Hillary’s, having to resort to some variation of the written rule wherein bank employees in this particular case should have been suspicious and interfered with the transaction.
I suspect $200K is too much to pay just for PR. And the actual cost would be a lot higher, by setting a new expectation of bank duties by precedent.
February 4th, 2010 at 2:48 am
Read the Krebs article linked in the article. It has a lot of facts. Thanks to a reader on my blog I started researching this more, and through information I found and information links sent to me in comments on the post my opinion on the situation changed. From what I can tell the breach was likely at Hillary, so they have some culpability. But the bank made many mistakes, and share, in my opinion, the lions share of the blame.
February 4th, 2010 at 9:10 am
Its obvious the two above do not understand how the international cyber crooks steal money from Banks. When they have found you, changing banks won’t matter. The only way they leave you alone is when you do not have any more money to steal.
March 29th, 2010 at 6:01 am
[...] posted a story not too long ago about a bank that was actually suing a customer that had been victimized by [...]