A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds.
TRC Operating Co. Inc., an oil production firm based in Taft, Calif., had its online accounts hijacked after an account takeover that started late in the day on Friday, November 10, 2011. In the ensuing five days, the thieves would send a dozen fraudulent wires out of the company’s operating accounts, siphoning nearly $3.5 million to accounts in Ukraine.
The oil firm’s financial institution, Fresno-based United Security Bank, successfully blocked or recalled all but one of the wires – for $299,000. Nevertheless, TRC later sued its bank to recover the remaining wire amount, arguing that USB failed to offer a commercially reasonable security procedure because the bank offered little more than a user name and password to help secure the account.
“For all intents and purposes, they got a user name and password, but were never offered any other security,” said Julie Rogers, an attorney for the Dincel Law Group, the San Jose firm that represented TRC in the dispute (as well as another California cyberheist victim that successfully sued its bank for $400,000 in 2012). “TRC had a cash management liaison assigned to them by the bank who assured them that this was all safe and reliable.”
Last week, just days before the case was set to go to trial, the insurance company for the bank settled the lawsuit, agreeing to cut a check for $350,000 to the oil company and with neither side admitting fault in the incident. Under California law, the most that any business can recover from a cyber fraud lawsuit is the amount stolen from its accounts — plus interest.
Dennis Woods, founder and CEO of United Security Bank, said the hack took place on TRC’s computers — not the bank’s — after an employee at TRC fell for a phishing scam. Further clarification indicates that the TRC employee likely had malware on his computer that deployed a “Web inject,” a malcode component that springs into action when the victim logs in at an online banking site.
Web injects are so named because they inject code into the victim’s Web browser window, causing a pop-up screen that prompts the victim to enter additional sensitive information, such as a Social Security number, date of birth, and mother’s maiden name. That information is useful for thieves in changing victim account settings at the bank that aids in the subsequent cyberheist, such as resetting account access, adding authorized users and changing contact email addresses. For more on what a Web inject looks like, see this video.
Woods said he was disappointed with the insurance company settlement because it prevented the case from going to trial.
“I was very eager for the court to say that customers can make all the agreements in the world but that they are not bound by them,” Woods said sarcastically. “TRC had signed up for an online banking product where they could automate certain things — sending wires, putting stop payments in, etc. — and when you do that, we come to your office, we train you, and you sign lots of agreements that state very clearly what the bank’s responsibilities are and what the customers’ are.”
TRC attorney Rogers said the bank never proved the phishing claim, nor allegations (however likely) that the company’s servers were hacked.
“It turns out the bank’s expert ended up writing an incident report blaming it all on TRC, but they never actually looked at the [allegedly compromised] TRC computer,” Rogers said.
Lawyers, banks and oil companies. Many readers no doubt will have trouble shedding a tear for any of the parties involved in this dispute. But those who own their own businesses should take heed: Banking online carries serious risks. As we have seen time and again, a single virus infection can ruin your company. And I wouldn’t count on the lawyers to save your firm from the very real cost of a cyberheist: These court challenges can just as easily end up costing the victim business well more than their original loss (see Ruling Raises Stakes for Cyberheist Victims).
Businesses do not enjoy the same protections against cyberfraud that are afforded to consumer banking customers. If this is news to you, or if you’d just like some tips how to reduce your exposure to online banking fraud, please take a moment to read my recommendations here: Online Banking Best Practices for Businesses.