Construction company, bank, settle dispute over $345,000 cyber heist

Both had sought to hold the other responsible for theft

A Maine construction company that sued its bank after losing $345,000 in an online banking heist has settled its dispute after a protracted legal battle that raised questions about the bank's responsibility in protecting customer accounts against cyber fraud.

The settlement between Patco Construction and People's United Bank (formerly Ocean Bank) comes about four months after the U.S. Court of Appeals for the First Circuit faulted the bank's security measures at the time of the theft and advised the two sides to work out a compromise., which was the first to report the settlement, quoted Patco's co-owner Mark Patterson as saying that the bank has agreed to reimburse the company's losses from the theft. No other details of the settlement were released.

Court records show that the two sides agreed to dismiss the case on Nov. 19. Neither Patterson nor People's United responded to requests for comment on the settlement.

Patco, a family-owned construction company in Sanford, Maine, sued Ocean Bank in 2009 after online crooks believed to be operating in Europe siphoned close to $590,000 in a series of unauthorized Automated Clearing House (ACH) transfers.

About $243,000 was later recovered after the fraud was detected. Patco sued Ocean Bank for the remaining money claiming that the theft was the result of the bank's failure to implement reasonable security measures as defined under the Uniform Commercial Code (UCC).

The lawsuit charged Ocean Bank with negligence and breach of contract for failing to detect and stop the unauthorized ACH transfers even though they were clearly fraudulent. Patco claimed in its lawsuit that the bank should have noticed that the fraudulent transfers were for much higher amounts than the company's usual transactions and were being sent to an unfamiliar overseas bank account.

Patco also faulted Ocean Bank for not implementing stronger authentication mechanisms, such as token-based authentication and out-of-band verification, which many banks were using at the time.

Ocean Bank, for its part, blamed Patco for the loss. The bank said the thieves were able to steal the money only because Patco had allowed them to gain access to the username and password the company used to log in to its commercial banking account.

Ocean Bank insisted that it had processed the ACH requests in good faith after it had verified that the proper IDs, passwords and answers to challenge response questions were being used to conduct the transactions.

In a ruling in May 2011, a Maine Magistrate sided with Ocean Bank and recommended that the U.S. District Court in Maine grant the bank's motions for a summary dismissal of Patco's complaints.

The judge disagreed with Patco's claims about the bank's responsibility for the theft and held that it was Patco's failure to adequately protect its login credentials that had allowed the thieves to steal the money.

However, the judge conceded that Ocean Bank could have done a better job detecting the fraud. He also ruled that the bank had provided clear notice to Patco of its online authentication measures and security controls as well as the extent to which it could be held liable for any mishaps.

On appeal, the First Circuit Court of Appeals in Boston earlier this year overturned that ruling and held that the theft resulted because of Ocean Bank's poor security measures. A three-judge panel at the appellate court ruled that the bank failed to implement commercially reasonable measures to properly authenticate users during ACH transactions. The court also faulted the bank for failing to monitor for suspicious transactions or for altering customers about such transactions.

At the same time, the court held that more hearings were needed to determine how much responsibility Patco should bear for failing to protect its login credentials and urged the two sides to work out a compromise.

The case is important because it was one of the first to raise questions about a bank's responsibility to protect customers against fraudulent ACH transfers. Over the past few years hundreds of small businesses, school districts and municipalities have been victims of the same kind of theft that hit Patco. Both the FBI and the Financial Services Information Sharing and Analysis Center (FS-ISAC) have repeatedly warned small businesses about the problem and noted that hundreds of millions of dollars have been siphoned out of the country in the past few years in this way.

The settlement still leaves unanswered the question of who should be responsibility for such breaches, said Avivah Litan, an analyst at Gartner. It does not throw light on how much protection companies have under the UCC in such circumstances, she said.

"I think the settlement proves that it's worth the banks' while to prevent these breaches and account takeovers in the first place," Litan said via email.

"No one really wins in a lawsuit involving account takeover. The banks are better equipped to prevent account takeover than their customers are, although certainly customers should institute whatever security measures they have access to," she added.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about financial it in Computerworld's Financial IT Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Financial ITsecurity

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts