A fire district in New York has filed suit against a local bank accusing it of being responsible for the cyber-theft of over $15 million in district funds. As if that is not bad enough, the bank has responded to the suit claiming the fire district’s own security lapses caused the losses.
Garden City Park Water/Fire District has filed suit against The First of Long Island Corporation, a one-bank holding company for The First National Bank of Long Island. According to the complaint, between July 12, 2024 and July 15, 2024, cyber-fraudsters managed to steal $15,555,000 in District funds. The theft represented 85% of the District’s total deposits in the defendant Bank’s possession. The Bank, working with law enforcement, was able to recover $4,451,003.23 of the stolen funds.
The suit was filed in Nassau County Supreme Court to recoup the outstanding balance of $11,098,996.77. The District claims the Bank accepted forged documents and violated numerous policies permitting the scammers to complete 15 fraudulent transfers internationally to accounts in China and Mexico.
Not surprisingly, the Bank has a different story. Quoting from the Bank’s answer:
- Prior to July 12, 2024, on information and belief, unidentified criminals surreptitiously penetrated and compromised the systems of the District and/or corrupted a District employee, and obtained … non-public and confidential information, with or without the knowing assistance of District employees, which thereafter enabled and/or facilitated the criminals to issue fraudulent payment orders to the Bank.
- The criminals continued with their scheme on July 12, 2024 by first sending emails to the Bank using an actual email address of a District official – Michael Ziminski – who had regularly dealt with the Bank.
- On information and belief, the criminals were able to do this by “hacking” into the District’s systems in such a way as to enable the criminals to send emails using Ziminski’s actual email account, using the District’s actual email system and/or discovering and exploiting flaws and failures in the District’s security and email systems as a result of the District’s negligence such that they could effectively impersonate Ziminski.
- On information and belief, the District’s negligent and/or intentional cybersecurity failures to protect its own electronic systems and detect criminal hacking activity within those systems permitted the criminals to appear to the Bank to be a fully authenticated and legitimate regular user of the District’s email system in order to mislead the Bank.
The Bank claims it reasonably relied upon the information provided to effect the transfers as instructed.
Here are copies of the District’s complaint and the Bank’s answer.
