| NEW YORK
NEW YORK May 12 Because the sums were large and
such attacks are relatively new, the two Middle East banks hit
in a $45 million ATM heist face an uncertain path in trying to
recover their losses, financial, insurance and legal experts
Oman-based Bank of Muscat lost $40 million and United Arab
Emirates-based National Bank of Ras Al Khaimah PSC
(RAKBANK) lost $5 million in the global heist, U.S. prosecutors
said on Thursday. Hackers gained access through third-party
companies that processed transactions for prepaid debit cards
issued by the banks, the prosecutors said.
While details of what happened are still sketchy, experts
said the banks could bring claims against the processing
companies in court, or they could file claims with their own and
the processing companies' insurers.
"There's no hard and fast rule," said Dan Karson, the
Americas chairman of Kroll Advisory Solutions. "We're in very
much a new cybersphere of finance, and allocating liability is
still very much evolving."
Any claims by banks against the processing companies would
depend on the contracts between the two parties, Karson and
other experts said. Those contracts include industry security
standards, which are required by the major credit card payment
networks, in this case MasterCard.
In most security breach cases, the processing company in
question did not fully comply with the standards, said Doug
Johnson, vice president for risk management policy at the
American Bankers Association.
However, even if the processor failed to comply with
security standards, banks may still be unable to get back their
money. That is because the contracts between processors and
banks, under terms set by credit card companies like MasterCard
or Visa, typically limit the processor's liability.
"They can't make everybody whole, or they'll be out of
business," said Michael Klaschka of Integro Insurance Brokers,
which has many financial institutions as clients. "The bank may
have very little recourse against the credit card processor."
In the hit against Bank of Muscat, the processor is enStage
Inc, based in Cupertino, California, a source close to the Bank
of Muscat said. Bank of Muscat has not commented on the attack.
Officials at enStage did not respond to requests for comment
on Saturday. EnStage CEO Govind Setlur said in a statement in
the Times of India his company had implemented security
enhancements since the attack.
In the RAKBANK case, the processor is India's ElectraCard
Services, according to people familiar with the situation.
RAKBANK has not confirmed that ElectraCard Services is the
payment processor and ElectraCard Services has not commented.
MasterCard has said it cooperated with law enforcement in
the investigation and said its systems were not compromised in
The banks can still try to sue the processors for negligence
or other claims, but their success may be limited by their
contracts, which include regulations that lay out specific fines
and dispute resolution procedures mandated by the credit card
Such lawsuits have proven difficult to win, according to
Joseph Burton of the law firm Duane Morris in San Francisco, an
expert in financial litigation. U.S. federal courts have
generally, but not unanimously, found that banks are restricted
to contractual remedies.
In one major case, card-issuing banks filed a class action
against Heartland Payment Systems after the processor announced
in 2009 that a hack had compromised the data for more than 100
million credit cards.
A federal judge in Houston, Texas, dismissed almost all of
the claims in 2011, finding that the banks were bound by their
contracts, which included regulations set by Visa and MasterCard
that govern how banks can seek relief after a breach. The banks'
appeal is pending.
Bank of Muscat and RAKBANK could also seek payment from
their insurers under their general policies.
Some banks also have additional security coverage for cyber
crime, although experts said the market for such policies is
still relatively immature. It is not known if Bank of Muscat or
RAKBANK carried cyber insurance.
The insurers, in turn, could also press claims against the
processors, or the processors' own insurers.
"It's certainly possible that the bank could be left holding
the bag," said Frederick Rivera of the law firm Perkins Coie, an
expert in financial services litigation in the United States.
A complicating factor is that the banks are located in the
Middle East, while one of the processors is based in India,
making it unclear which courts would have jurisdiction over any
litigation. But experts said the requirements that credit card
companies impose on banks and processors are global in nature.
Federal prosecutors will also seek restitution for the banks
from the defendants arrested in the case, though the amount of
funds available likely won't approach the total amount of stolen
The U.S. Justice Department indicted eight people it said
had withdrawn cash in New York, and prosecutors had seized
hundreds of thousands of dollars in cash and bank accounts,
along with luxury watches and a Mercedes sport utility vehicle.
But the New York cell was just one part of a coordinated global
heist in which $45 million was withdrawn from cash machines in
27 countries on Dec. 21 last year and Feb. 19 this year. U.S.
prosecutors have not said where the ringleaders of the gang were
The prosecutors said the gang targeted prepaid debit cards
issued by the two banks, using hackers who broke into the
payment processing company to raise account balances and
withdrawal limits for the cards.
The heist did not compromise the accounts of any individual
customers, unlike in cases of identity theft. In those cases,
customers are typically made whole by their financial
institution or credit card companies, which in turn seek to be
made whole by the company that was breached.