Bank of Oklahoma has sued the company that manufactured hundreds of automated teller machines (ATMs) it sold the Tulsa-based financial institution, claiming the devices were “easily breached by malware attacks”.
BOKF, NA (National Association) also sued Continental Insurance Co. for refusing to compensate the bank for more than $7.3 million in losses it sustained during more than 100 malware attacks on its ATMs in four states.
Both cases were filed in Tulsa’s Northern District federal court.
BOKF, NA is a $50 billion institution operating in Oklahoma, Texas, Arkansas, Kansas, Colorado, New Mexico and Arizona. Through its TransFund division, BOKF serves its customers via a network of more than 2,700 ATMs.
In 2019 TransFund began replacing its ATMs that were manufactured and maintained by Diebold Nixdorf because the machines were “approaching the end of their useful life cycle,” BOKF reported.
The bank paid a little over $4 million to purchase 502 ATMs from Nautilus Hyosung America, “the largest manufacturer of ATMs and their related parts,” and delivery and installation of the ATMs started in June 2020, according to the lawsuit petition. Hyosung, a Delaware corporation whose principal place of business is in Irving, Texas, assured BOKF that its ATMS would be “free of defects in materials and workmanship,” the bank claims.
Hyosung located the ATM’s hard drive inside the machine “underneath what is called a ‘top hat,’” which is secured with a mechanical lock and key. Hyosung’s top hat was made of plastic.
TransFund asked that the top hats be secured with locks and keys “unique to TransFund for each ATM,” but Hyosung installed its ATMs with “universal locks and keys,” the lawsuit alleges. In addition, Hyosung installed most of the ATM routers outside the machines, “which provided an easy target and easy access by criminals…”
Hyosung’s ATMs were “unusually susceptible” to either “jackpotting” or “man-in-the-middle” attacks, BOKF asserts.
In a jackpotting event, an attacker used a simple box knife, pocket knife, “or even a pair of scissors” to cut a hole in the plastic top hat through which the individual could easily gain access to the ATM hard drive, or accessed the ATM hard drive because Hyosung “failed to use a lock and key unique to TransFund for the ATM.”
In each man-in-the-middle incident, the thief “secretly placed a device that intercepted and related messages by means of the exposed router.”
In either instance, the thief installed software “specifically designed to gain unauthorized access to the ATM computer system” and used the malware to withdraw cash from the ATM.
From September 2021 through January 2022 TransFund experienced losses in 118 separate attacks on Hyosung’s ATM that resulted in damages “in excess of $11,483,703,” including the theft of more than $7.3 million in cash, BOKF alleges.
However, none of the ATMs TransFund bought from other manufacturers were successfully attacked “during the same period,” BOKF said. Furthermore, Hyosung “failed to timely respond to TransFund once the attacks” on the ATMS “were discovered and reported.”
After “repeated discussions” concerning the breaches, TransFund in October 2021 declined to pay any more maintenance invoices “until Hyosung demonstrated required contract performance.” The agreement between the two parties was terminated by Hyosung in August 2022, according to the lawsuit petition.
BOKF and TransFund sued Hyosung for breach of agreement, fraudulent inducement, and gross negligence.
In a “preliminary statement,” Nautilus Hyosung claimed that the agreement between the two parties “excludes all types of damages claimed by BOKF.”
A jury trial in the case originally was scheduled for July 15, but U.S. District Judge Terence C. Kern extended the deadline for motions to Aug. 4.
BOKF sues insurer, too
BOKF sued Continental Insurance Co. on June 22 for allegedly refusing to compensate the bank for the $7.3 million in cash that was stolen during the 118 malware attacks against ATMs located in convenience stores in Oklahoma, Texas, Iowa and Arizona. Continental maintains that “coverage as to all of the ATM attacks was constrained to $275,000” – or 3.76% of BOKF’s total loss.
Continental is a Pennsylvania corporation whose principal place of business is in Illinois. The company is a wholly owned subsidiary of CNA Financial Corp., one of the largest commercial property and casualty insurance companies in the U.S.
BOKF reports in its lawsuit that since 2018 it has paid Continental “millions of dollars” in premiums for “multiple lines of insurance.”
In particular, the bank says, Continental “agreed to provide insurance coverage for the period May 12, 2021, to May 12, 2022, pursuant to a Financial Institution Bond…” In general, a financial institution bond insures banks and other financial institutions “against burglary, robbery, forgery, and similar crime exposures,” the bank explained.
The policy BOKF bought from Continental provides coverage for loss of property resulting directly from “theft, false pretenses, common-laws or statutory larceny, committed by a person present in an office or on the premises of the Insured.”
Under “Computer Systems Fraud” the policy provides coverage for loss resulting directly from a fraudulent “entry of Electronic Data or Computer Programs into, or change of Electronic Data or Computer Programs within any Computer System operated by the Insured … provided that the entry or change causes (a.) property to be transferred, paid or delivered; (b.) an account of the Insured, or of its customer, to be added, deleted, debited or credited; or (c.) an unauthorized account or a fictitious account to be debited or credited.”
The policy also specifies a general “Single Loss Limit of Liability” of $15 million.
BOKF claims both parties stipulated that “with respect to ATMs not situated within a staffed BOKF office,” Continental’s liability would be limited to $275,000 for each device location…” Some BOKF-owned ATMs are located within bank branches, while others are situated elsewhere, including inside convenience stores such as QuikTrip, 7-Eleven and OnCue.
Ever since December 2021, Continental has “intransigently refused to recognize any coverage” beyond $275,000, BOKF complains.
Continental had not yet responded to the lawsuit as of June 26. That case is pending before U.S. District Judge Gregory K. Frizzell.