Bank in Maine has finally agreed to reimburse its client $345,000. This amount was lost to hackers because, as the court ruled, the financial institution’s security practices were “commercially unreasonable”.

People’s United Bank, which owns Ocean Bank, will now have to pay Patco Construction Company all the assets the hackers stole from its account three years ago, plus around $45,000 in interest. Back in 2009, the hackers installed malware on the company’s PCs and stole its banking credentials in order to siphon money from its bank account.

The construction company had argued that the authentication system of the People’s United Bank was inadequate and therefore failed to contact Patco after the transactions were flagged as suspicious. Nevertheless, the bank claimed that it had done due diligence as it did verify that the ID and password were authentic.

The judges with the First Circuit Court of Appeals have finally ruled in July 2011 that the bank’s security system was improperly configured and advised the two parties to come to a settlement. That’s what they did last week. However, according to the settlement, the construction company won’t be reimbursed attorneys fees.

Patco, a family-owned business, sued Ocean Bank after it discovered that intruders were stealing around $100,000 per day from its Internet bank account. They did it by sending a malicious e-mail to Patco’s employees, which allowed them to surreptitiously install the Zeus password-stealing trojan on some employee’s PC. After this, they obtained the company’s banking credentials and used them to initiate a series of online money transfers over a week. Almost $600,000 was transferred out of the account before the company realized it had been hacked. The bank, after being notified of the fraud, managed to block only $240,000 in transfers, but its client failed to retrieve the rest.

The company claimed that the Ocean bank’s security system was inadequate and the financial institution didn’t comply with its own security procedures. Indeed, despite flagging the transactions in question as unusually “high-risk” due to the timing, value and geographical location of the transactions, the Ocean bank failed to notice the alerts and let the money go without notifying Patco. The company usually only made transfers on Fridays (payroll payments) from its offices in Maine, all from the same IP address, with the largest amount it ever transferred being around $36,000. However, the fraudulent transactions exceeded $90,000, initiated from various IP addresses, and addressed to people who had never received payments from the company before. In fact, the fraudulent activity was determined only after the transactions were sent to nonexistent bank accounts.