What's insane is thinking that a bank that handles people's money shouldn't be required to report a coordinated successful attack, regardless of whether their technology is at fault.
The article states that the banks automated systems were triggered for suspicious activity and the bank ignored them. One would think that at the very least that would make the bank negligent. Of course there is probably more to it than that.
Sure, but banks have vaults. There's a continuum on what is reasonable against known risks. No one would accept a bank saying not to victim blame if they had no security. We know they are targets.
Unfortunately, enforcement online is an international sovereignty issue, so everyone is a target due to high reward and low risk. Until changes are made we must be responsible for our own security. We can still blame attackers at the same time.
If your bank lost your money due to getting hacked would you just shrug and accept that they do money, not IT security and therefore it's outside scope for a negligence claim?
There is nothing that the bank was doing that was so far from the normal practice of securing a website that constitutes negligence. They were even following a published standard.
It's unreasonable to expect the bank to be so overly concerned with their customer's security and excuse the business for not being so with their own.
All major banks have systems whose job is to have a notion of normal and abnormal transactions. Any bank operating at the level of the majors should be able to pick out the $100k electronic funds transfer, which is probably the only customer-not-present paperless ACH transaction of that size in the history of the relationship for a regional construction firm, and require callback authorization for it. That's all they had to do.
The point isn't that the bank should be universally responsible for fraud. It's that the responsibility for fraud does not end exactly at the login prompt.
If you are a bank, and you haven't fix one of the worst and widest reaching security holes in years by now.. well. Criminal negligence would be an appropriate description.
Here is something that doesn't feel right. The article says:
> The breach has so far cost US bank Capital One, one of the 30 institutions affected, more than $270m in compensation and regulatory fines.
The bank claims that it is hacker's fault.
But isn't it wrong? Bank was fined and sued not for having been a victim of a hack but for not storing data securily, not configuring the cloud accounts properly. For not following required procedures. Therefore, as I understand, the bank should have been fined even if there were no breach.
Or are they blaming the hacker for exposing the violations? Do they assume that it is ok to violate regulations as long as nobody knowns about it? That's ridiculous.
By that logic, all banks are unsound. It's not turtles all the way down, and pretending the guilty party is blameless because "someone else would have done it" is nonsense.
Compromising bank servers is less harmful than compromising individual customers, because it's the bank (or perhaps the insurance) that's bearing the consequences, not its customers.
There are plenty of reports of people who, after getting refunded for a fraudulent transaction, get told that the bank won't investigate it, and that they should report it to the police themselves if they want to get someone to investigate. That doesn't strike me as banks caring too much.
I'm not saying the banks care nothing for security, and I am sure that they don't want to lose money if they had a choice, but their actions often give an outward impression of not being too bothered about individual losses.
The degree of fault is determined through investigation, and it's not all or none. If the banks had negligently lax security that should have resulted in only 75% of the actual robbed monies being lost, they'd be on the hook for the remainder.
When there's a couple of rogue employees I can understand. When there are millions of fraudulent accounts it starts to look like a policy or at least criminal neglicence.
And there are also the companies that are convinced of fraud like Deutsche Bank, but it's the company that pays a huge fine when the executives who were overseeing all this go unscathed.
I have worked in a bank and I know a lot of people there have no clue what's going on, but the fact that it's true does not mean it's a valid excuse. If I kill a pedestrian with my car I can not claim it's not my fault because I had my eyes closed.
The whole "bank said my identity has been stolen, they took all my money" fiasco makes it pretty clear banks can blame whatever on whomever, and the judicial system won't do squat.
reply