Tennessee Electric Company (TEC Industrial) is suing its bank, TriSummit, after falling victim to a $327,000 cyber-heist. The attackers likely used password-stealing malware, and then logged in to the bank using TEC credentials to siphon the funds. TEC is suing because, it said, TriSummit allowed an ""unathorized transfer of funds."
The move is notable in that it holds banks responsible for not only recovering the stolen funds, but also for damages for negligence in their security measures--opening up a discussion of who exactly is responsible for hacker intrusions in the case of stolen credentials. Should the bank have additional protections in place before agreeing to money
Security researcher Brian Krebs explained that unlike consumers, most businesses do not enjoy heist protections and reimbursement from their financial institutions. But, he added that “it’s generally not in the business’s best interests to sue their bank unless the amount of theft was quite high, because the litigation fees required to win a court battle can quickly equal or surpass the amount stolen.”
However, “This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyber-heists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss),” he said.
Particularly if it’s successful, it is likely that we will see more moves like this as criminals ramp up their efforts. Security researchers liken the trend to a modern-day, virtual Bonnie and Clyde-style spree. “Cyber-heists are the new way to steal from organizations and businesses,” said Eric Chiu, president and co-founder of HyTrust, in an email. “Why would anyone want to break into a vault at a bank when they can hijack an employee's online banking session and route money to accounts across the world?”
Researchers say that for banks, the responsibility to protect users’ funds should go beyond the physical vault to include airtight cyber-security.
“This action underscores the increasing focus on responsibility for maintaining end-to-end security for customers,” said Steve Hultquist, chief evangelist at RedSeal Networks, in a comment to Infosecurity. “Security in the internet age has been an afterthought, but it has rapidly moved to the forefront and become the primary requirement for business. Virtually every business must be available on the internet, and protecting transactions and customer data is paramount.”
“Executives must be asking their teams to measure the risk they have of cyber-attack, to frequently report on the improvements made, and to require an ongoing review of the compliance of their technology infrastructure,” Hultquist said. “Automation to measure and analyze the real security situation is a critical requirement for every organization.”
Chiu added, “Organizations need to get serious about security to ensure that appropriate access controls as well as monitoring and alerting are in place. In addition, automated approvals such as the two-man rule should be mandated for transactions above a certain amount or dangerous operations. Lastly, consumers need to ensure that they keep their personal information safe and take precautions to secure systems that are used to access work networks and financial websites.”