Ocean Bank held responsible after cybercriminals stole $588,000 (464,000 EUR) from firm

Jul 6, 2012 14:35 GMT  ·  By
Court decides that People's United Bank's security systems are not commercially reasonable
   Court decides that People's United Bank's security systems are not commercially reasonable

The U.S. Federal Court of Appeals for the First Circuit has ruled that a bank is responsible for not being able to stop fraudulent transactions from taking place from the account of a customer. The decision could have a major impact on other similar trials.

In August 2011, a court decided that Ocean Bank – which changed its name to People’s United Bank – couldn’t be held responsible for the fact that one of its clients, Patco Construct Co., lost the amount of $588,000 (464,000 EUR) as a result of a cybercriminal operation that took place in 2009, Brian Krebs reports.

However, the appeals court decided that the financial institution’s security measures were not “commercially reasonable.”

Up until 2008, Ocean Bank had an anti-fraud system in place that would question every transaction larger than $100,000 (79,000 EUR). Starting July 2008, the threshold was lowered to just $1 because of the large number of fraudulent transfers that targeted small amounts of money.

Since Patco performed numerous online fund transfers, a ZeuS Trojan was able to swipe the company banking credentials and easily steal the large amount of money over a period of seven days.

“In our view, Ocean Bank did substantially increase the risk of fraud by asking for security answers for every $1 transaction, particularly for customers like Patco which had frequent, regular and high dollar transfers,” the court stated.

The decision to rule in favor of Patco was motivated by the fact that the bank had failed to monitor transactions and notify customers in case of suspicious activity, even though it had the ability to do so.

The judges added, “Because it had the capacity to do all of those things, yet failed to do so, we cannot conclude that its security system was commercially reasonable.”

The decision comes one day after ENISA issued a report, advising banks to assume right from the start that all their customers’ computers are infected with malware.