A public hospital in Washington state is suing Bank of America to recoup some of the losses from a $1.03 million cyberheist that the healthcare organization suffered in 2013.
In April 2013, organized cyber thieves broke into the payroll accounts of Chelan County Hospital No. 1 , one of several hospitals managed by the Cascade Medical Center in Leavenworth, Wash. The crooks added to the hospital’s payroll account almost 100 “money mules,” unwitting accomplices who’d been hired to receive and forward money to the perpetrators.
On Thursday, April 19, and then again on April 20, the thieves put through a total of three unauthorized payroll payments (known as automated clearing house or ACH payments), siphoning approximately $1 million from the hospital.
Bank of America was ultimately able to claw back roughly $400,000 of the fraudulent payroll payments. But in a complaint (PDF) filed against the bank, the hospital alleges that an employee on the Chelan County Treasurer’s staff noticed something amiss the following Monday — April 22, 2013 — and alerted the bank to the suspicious activity.
“Craig Scott, a Bank of America employee, contacted the Chelan County Treasurer’s office later that morning and asked if a pending transfer request of $603,575.00 was authorized,” the complaint reads. “No funds had been transferred at the time of the phone call. Theresa Pinneo, an employee in the Chelan County Treasurer’s Office, responded immediately that the $603,575.00 transfer request was not authorized. Nonetheless, Bank of America processed the $603,575.00 transfer request and transferred the funds as directed by the hackers.”
Chelan County alleges breach of contract, noting that the agreement between the county and the bank incorporates rules of the National Automated Clearinghouse Association (NACHA), and that those rules require financial institutions to implement a risk management program for all ACH activities; to assess the nature of Chelan County’s ACH activity; to implement an exposure limit for Chelan County; to monitor Chelan County’s ACH activity across multiple settlement dates; and to enforce that exposure limit. The lawsuit alleges that Bank of America failed on all of those counts, and that it ran afoul of a Washington state law governing authorized and verified payment orders.
In a response (PDF) filed with the U.S. District Court for the Eastern District of Washington at Spokane, Bank of America denied nearly all of the allegations in the lawsuit, including that it ignored the hospital’s warning not to process the $603,575 payment batch.
The bank noted that its contractual obligations with the county are governed by the Uniform Commercial Code (UCC), which has been adopted by most states (including Washington). The UCC holds that a payment order received by the [bank] is “effective as the order of the customer,whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
This cyberheist mirrors attacks against dozens of other businesses over the past five years that have lost tens of millions of dollars at the hands of crooks armed with powerful banking Trojans such as ZeuS. It’s not clear what strain of malware was used in this attack, but the money was funneled through a cashout gang that this blog has tied to cyberheists orchestrated by organized crooks who distributed ZeuS via email spam campaigns.
Business and consumers operate under vastly different rules when it comes to banking online. Consumers are protected by Regulation E, which dramatically limits the liability for those who lose money from unauthorized account activity online (provided the victim notifies their financial institution of the fraudulent activity within 60 days of receiving a disputed account statement).
Businesses, however, do not enjoy such protections. The victim organization’s bank may decide to reimburse the victim for some of the losses, but beyond that the only recourse for the victim is to sue the their bank. Under state interpretations of the UCC, the most that a business hit with a cyberheist can hope to recover is the amount that was stolen. That means that it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.
So, if you run a business and you’re expecting your bank to protect your assets should you or one of your employees fall victim to a malware phishing scheme, you could be in for a rude awakening. Keep a close eye on your books, require that more than one employee sign off on all large transfers, and consider adopting some of these: Online Banking Best Practices for Businesses.