A court has ruled in favor of a California oil company which lost $350,000 in 2011 via a cyberheist. The court ordered that the bank where the firm held its accounts and which were accessed by hackers reimburse the stolen money.

Hackers targeted the bank account of TRC Operating Co. Inc late on November 10, 2011. They managed to highjack the account of the said company which is based in Taft, California. For five days following Friday the 10th, the cybercriminals managed to spirit off a whopping $3.5 million to accounts based in Ukraine.

United Security Bank (USB) which is located in Fresno is the oil company’s bank. During the cyber attack on their customer’s account, the bank reclaimed all the illegal wire transfers. However, the bank failed to stop one transfer totaling $299,000. TRC sued the bank for the lost funds. In its case, it argued that the bank failed to use commercial procedures that are reasonably secure. For a customer to open an account with USB, what one was offered was basically a username and a password.

According to a Dincel Law Group lawyer, Julie Rogers who represented TRC, the clients were only offered a username and a password to enhance their banking security. The law firm had also represented another cyberheist victim in 2012 in successfully suing its bank for the loss of $400,000. The lawyer added that the client had an arrangement with USB where the bank was to perform some cash management functions for TRC. The bank had assured TRC of the reliability and the safety of the new service.

The insurance company for the bank agreed to make a check of $350,000 to settle the lawsuit. This was done just a few days before the set date for trial. The agreement, however, was that neither party admits liability to the cyberheist incident. A business which has had its money stolen through cyber fraud can only recover the principal plus interest under California law.

An employee at TRC was the one who let in the phishing criminals inadvertently. Using the employee’s account, the criminals got access to the company’s bank credentials. According to Dennis Woods, founder, and CEO of USB, the bank’s computer system was never compromised.

After conducting further investigation, it became apparent that the said employee probably had a malware in their computer which then introduced a ‘web inject’. The web inject is a rogue code that jumps into action the moment a victim logs into an online banking website.

‘Web inject’ introduces a rogue code into your browser’s window. This will make the browser show a ‘pop-up’ screen which asks you to enter sensitive personal information. Because you will be assuming you are on a safe site, you will innocently enter sensitive details such as your mother’s maiden name, date of birth and so on. This information is what the hackers need to change your bank account settings. The cyber criminal will subsequently steal, reset account access settings or even add ‘authorized’ users.

More often than not, individual citizens find themselves abandoned by the system because they rarely get compensated, unlike their fellow corporate citizens.