A Miami businessman is suing Bank of America over $90,000 he says was stolen from his online banking account in a case that highlights the thorny question of who is responsible when a customer’s computer is hacked into.
Joe Lopez, 42, said in a complaint filed Thursday in Circuit Court in Miami that Bank of America was negligent and failed to protect him from online banking risks it knew about.
Lopez is asking to recover the money lost, plus interest and attorney fees. “For Bank of America, $90,000 is peanuts,” Lopez said. “For me, its my world. The bank has turned its back on me.”
The complaint is believed to be the first legal action by a customer against a U.S. bank to recover money apparently stolen by cybercriminals.
Avivah Litan, an expert on online fraud for Gartner Inc., a Stamford, Conn.-based research firm, called it “a landmark case.”
“This exposes all the holes in the system,” Litan said. “Banks technically aren’t responsible for what happens on your PC. But banks can’t reasonably expect consumers to protect themselves from cybercriminals.” Litan expects that future cases like Lopez’s will eventually pressure banks into adopting stricter security measures for online banking.
What Lopez calls his nightmare began April 6, when he logged on to check on a wire transfer he was expecting. As head of Ahlo Inc., a five-person company in the Doral area of Miami-Dade that buys and sells printer ink and toner, Lopez often wires money to and receives transfers from U.S. and Latin American companies.
When he checked his account, Lopez found that $90,348.65 had been wired to Parex Bank in Riga, Latvia — without his approval. “I thought I was going to throw up,” he said.
According to the complaint filed on Thursday, about $20,000 of the money was withdrawn by the fraudulent recipient in Latvia. The rest, roughly $70,000, was frozen by Parex, where it remains.
The U.S. Secret Service, which investigates computer-based attacks on banks, sent Lopez a letter in November saying its “initial examination” had determined that a variant of a virus called coreflood had existed on his computer systems.
The letter noted that coreflood is malicious software code that can give an attacker remote access to the infected system, but it did not explicitly say coreflood was the cause of the loss. Representatives of the Secret Service Miami office were unavailable for comment Friday, and have previously declined to talk about the investigation.
The allegations in Lopez’s complaint against the bank include breach of contract, negligence, breach of fiduciary duty, fraud and deceit, and intentional misrepresentation.
“Bank of America knew of the coreflood virus,” Patino said. “Why not tell their customers?”
Patino cites a letter from Bank of America to customers in July recommending they strengthen their security measures as proof that the bank knew online banking was risky. He and Lopez say a large wire transfer to Latvia, which is known in financial circles for its problems with cybercriminals, should have raised a red flag.
Bank of America spokeswoman Eloise Hale said Friday she was not aware of the complaint. But Hale reiterated comments she made for an article in theSouth Florida Sun-Sentinel in November that the bank’s “internal review of the transaction and documentation confirm all appropriate steps took place.”
Hale said then that Bank of America has in place “stringent” electronic security measures and continually monitors online banking for irregular activity, but she would not say what kind of activity would raise a red flag.
In an e-mail to the Sun-Sentinel in November, Parex compliance official Igor Petrov said Parex was working on the case with “respective authorities and institutions” but couldn’t comment further because of Latvia’s client privacy laws. Internet security experts have estimated that one-third to half of all cybercrimes originate in Russia, Eastern Europe and the Baltic nations, where organized crime is believed to be orchestrating many of the attacks.
In a letter obtained by the Sun-Sentinel, Richard Heilbron Jr., Bank of America’s assistant general counsel, wrote to Lopez’s attorney on April 21 that the bank was not responsible for the loss because no one hacked into its system to initiate the wire transfer.
In a letter exactly one month later, Heilbron wrote that Parex had told Bank of America that any action to recover the funds would require a request to Latvia’s Office of the Prosecutor for a criminal investigation.
“Since we are not responsible for the fraud and have not ourselves sustained a loss, we are not in a position to make such a request,” Heilbron wrote. In yet another letter in July, Heilbron wrote that Bank of America had no legal recourse against Parex because it was not the victim of the fraud. “We too would like Ahlo Inc. to recover its funds,” he wrote.
Since then, to keep his company running, Lopez has taken out a home equity loan of $30,000 and put $20,000 of his savings into the company.
And he no longer does wire transfers online. “Online banking is here to stay,” he said. “But the banks have to step up to the plate.”
Lopez’s lawyer, Ralph Patino of Coral Gables, believes the complaint could become a class-action suit to include others who have had smaller amounts of money vanish from their online banking accounts and may have little recourse.
“If you lost $5,000, you are going to walk away from that $5,000 because there isn’t an attorney in town who will take the case,” Patino said.
Ian Katz can be reached at firstname.lastname@example.org or 954-356-4664.