03:27 PM
Connect Directly

Couple's Lawsuit Against Bank Over Breach To Move Forward

Case raises questions about banks' liability in breach of customers' online accounts

A U.S. District Court ruling in a lawsuit against a bank over a hacked online account has raised thorny questions about who's ultimately responsible for the breach of a customer's account.

An Illinois district court denied Citizens Financial Bank's request to dismiss a lawsuit that charges the bank was negligent in protecting a couple's bank account after their user name and password were stolen and used to pilfer $26,000 from their account. The ruling lets the couple, Marsha and Michael Shames-Yeakel, continue with their lawsuit, mostly based on their allegations that the bank failed to properly secure their account.

The bank has held the couple responsible for the money that was stolen after an attacker used their online banking credentials to secure a loan on the account, first depositing it in the couple's business bank account, then wiring it to a bank in Hawaii, and then to a bank in Austria. By the time the couple reported the fraud to Citizens Financial, there was no way to retrieve the money from the Austrian bank, which refused to return it.

Experts are split over whether the couple has a chance of winning the case. But either way, the lawsuit has raised the thorny question of whether a bank should be held liable if a customer's account is breached.

In the court opinion (PDF) obtained by Wired, the couple maintains that Illinois-based Citizens Financial Bank "failed to guard access to Plaintiff's account with adequate security features at the time of the theft," with only a user name and password rather than a more secure multifactor authentication method. They argued the bank should have offered them token authentication.

The court document says the bank stood by its online banking disclaimer that exempts the bank from any liability: "We will have no liability to you for any unauthorized payment or transfer including wire transfer made using your password that occurs before you have notified us of possible unauthorized use and we have had a reasonable opportunity to act on that notice."

But whether the lawsuit holding the bank responsible for the couple's loss will stand up in court is unclear. John Pescatore, vice president and distinguished analyst at Gartner, says he doesn't expect the couple to win the case. "I don't see that this has much chance of succeeding. The real issue is the user's responsibility to protect their passwords, just as it is the car driver's responsibility to protect the car keys. If you leave the keys in the ignition and someone steals your car, suing the car manufacturer for negligence isn't going to work," Pescatore says.

And the argument that the bank should have offered two-factor authentication is moot, he says, because regulation from the Federal Financial Institutions Examination Council (FFIEC) only calls for "risk-based authentication" and doesn't specify it as two-factor authentication. Plus, consumers for the most part have resisted tokens and stronger authentication, while banks for the most part have avoided forcing the issue and "eaten" losses from account breaches, Pescatore says. "It's not going to be simple to prove negligence of the bank," he says. "And if they [the attackers] got their banking passwords, they probably got a lot of [their] other passwords, too."

Bruce Schneier, meanwhile, argues that the customer should not be held responsible for this type of bank account breach. "The banks don't want to be liable," Schneier says. "But it makes no sense that the customer should be responsible for [banking] fraud...The only way to improve security is for the person with the ability to mitigate it [like a bank] to take responsibility for this. Even if it's the customer's fault, the bank should be liable."

Schneier, who also blogged about the case yesterday, says banks should have to follow the same type of rules as credit-card companies when it comes to customer losses from a breach.

The ruling, meanwhile, did grant the bank's motion for a summary judgment on other charges by the couple, including one that sued the bank for reporting the couple's account as delinquent and for leaving out information in its reports.

And a similar lawsuit was filed late last week by Sanford, Maine-based Patco Construction against Ocean Bank after the company's bank account there was pillaged by cybercriminals earlier this year for $588,000, according to a report by The Washington Post. The company alleges that the bank didn't do enough to protect its account.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.