14 DAY TRIAL // A public hospital in Chelan County, Washington, alleges in a complaint filed at the Eastern District of Washington Court that Bank of America processed a large transaction despite receiving information that the transfer was not authorized.
Back in April 2013, hackers managed to infiltrate the payroll systems of Chelan County Hospital District 1 and initiated three transfers to unauthorized accounts, summing over $1 million / €920,000.
Plaintiff says bank was alerted of suspicious account activity
According to the court document, provided by security blogger Brian Krebs, the Chelan County Treasurer’s staff noticed the suspicious activity on April 22, 2013, four days after the hackers made the transaction requests, and alerted Bank of America.
The last transaction was of $603,575 / €555,000, and at the moment of communication between the two entities, it was still pending. A bank employee, Craig Scott, contacted the Chelan Country Treasurer’s staff and asked if the transfer was authorized.
He did not receive clearance for the operation from Theresa Pinneo, a Chelan County Treasurer’s employee, but it appears that the hacker’s request was processed anyway.
Based on this, Chelan County (plaintiff) claims that a breach of contract occurred and initiated a lawsuit against Bank of America.
The financial institution managed to recover a part of the money ($408,000 / €375,000) from the unauthorized request, but the total prejudice to the hospital is much larger than this.
Bank of America replies by denying allegations
In a response to the Chelan County complaint, Bank of America denied the allegations and said that the financial loss incurred by the plaintiff was caused by events and conditions that were not controlled by the bank, adding that it was the result of the plaintiff’s own negligence.
Bank of America also rejected any allegation that it breached any of its contractual duties or obligations regarding the plaintiff.
As per the Uniform Commercial Code, a bank can process payment requests received in the name of the customer, if the validation process respected the security procedures imposed by the bank.
This means that regardless if the transfer is authorized or not by the client, it will be processed in the case of proper authentication. In even simpler terms, if a hacker logs into a business’ bank account with the proper credentials and initiates a money transfer, the operation can be processed by the bank.
Not the same applies in the case of consumers, though, who benefit from more protection against fraud as they are not held liable for unauthorized transactions if they notify the bank within a set amount of time from the occurrence of the suspicious account activity.