What's happening: Another corporate victim of cybertheft goes public; sues bank over sophisticated online bank heist
What it means: This is our 9th posting on online bank theft in the last month. It illustrates how the world of cybercrime has changed. Cybercriminals are targeting small and medium-size organizations, hacking into their computer systems and stealing money. Banks are reluctant to return the money, claiming that they are following "commercially reasonable" practices. In the case of the bank in the article, they appear not to have been following commercially reasonable practices. Even when banks are following commercially reasonable practices, that may not be sufficient; see our discussion of T. J. Hooper v. Northern Barge in our Guide An Emerging Information Security Minimum Standard of Due Care where Judge Learned Hand wrote: in most cases reasonable prudence is in fact common prudence; but strictly it is never its measure ... there are precautions so imperative that even their universal disregard will not excuse their omission.
What to do: Management must get on top of this problem. Check bank transactions daily. Train staff to recognize cybercrime danger signs. Tightly manage technology controls. Consider a separate PC used only for on-line banking. Check your cyber-insurance. Be prepared to sue your bank: Email our Guide: An Emerging Information Security Minimum Standard of Due Care to your attorney.
**********************************
From Brian Krebs; Washington Post: Maine Firm Sues Bank After $588,000 Cyber Heist
A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.
http://voices.washingtonpost.com/securityfix/2009/09/construction_firm_sues_bank_af.html