Tenn. Power Company Suing Bank Over Cyber Heist

August 13, 2014

An industrial maintenance and construction firm in Tennessee is suing its bank to recover $327,000 in stolen funds, according to a Krebs On Security report. If the lawsuit proceeds to trial, it could be easier and cheaper for cyber attack victims to recover losses.

According to Krebs On Security: “In May, 2012, Kingsport, Tenn.-based Tennessee Electric Company Inc. (now TEC Industrial) was the target of a corporate account takeover that saw cyber thieves use a network of more than four dozen money mules to siphon $327,804 out of the company’s accounts at TriSummit Bank.”

While the bank was able to recover roughly $135,000 of those unauthorized transfers, Tennessee Electric was on the hook for the rest. This month, the company sued TriSummit in state court, alleging negligence, breach of contract, gross negligence and fraudulent concealment.

Tennessee Electric alleges that the bank only called to seek approval for the fraudulent payroll draft a day after having approved it, and after security blogger Brian Krebs (of Krebs On Security) alerted them to the heist.

According to Krebs’ report on his blog: “This lawsuit, if it heads to trial, could help set a more certain and even standard for figuring out who’s at fault when businesses are hit by cyberheists (for better or worse, most such legal challenges are overwhelmingly weighted toward banks and quietly settled for a fraction of the loss).”

While consumers who bank online are protected by Regulation E’s limits on liability for customers losing money through unauthorized account activity, businesses do not have the same protections. The Uniform Commercial Code (UCC) holds that a payment order received by a bank is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedures and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the name of the customer.”

States across the U.S. have adopted this code, and interpretations mean that the most a business can hope to recover is the amount stolen in a cyber attack – often making it unfeasible to sue the bank and incur litigation fees, the report says.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Tenn. Power Company Suing Bank Over Cyber Heist

Related Articles

Related Products

Report Abusive Comment