In a preliminary ruling by a Pennsylvania state court, Joyce’s Jewelry of Uniontown has been allowed to continue its lawsuit against PNC Bank and several of its employees following a significant cyberattack.
The jeweller lost over $1 million due to unauthorised wire transfers, raising important questions about the security responsibilities of banks.
Incident Overview
The cyberattack occurred on May 12, 2022, involving an employee of Joyce’s Jewelry who mistakenly entered login details on a fake website posing as PNC Bank’s. These credentials were used to make 11 wire transfers over a period of 20 hours, depleting the store’s bank accounts. A total of nearly $1.6 million was transferred to parties with no prior transactions with the jeweller.
Allegations and Defences
The lawsuit accuses PNC Bank of not adequately securing its funds, pointing to the unusual transaction sizes and the resultant overdrafts that incurred nearly $200,000 in fees—both atypical for the store’s transaction history.
PNC Bank asserts that it responded appropriately to the transactions and attributes the breach to negligence on part of the jeweller’s employee.
Legal Proceedings and Bank’s Position
The case was initially filed in the Court of Common Pleas of Fayette County, Pennsylvania. Efforts by PNC Bank to move the case to federal court were denied in January 2023. PNC then attempted to dismiss the lawsuit, claiming their actions should be evaluated solely under the state’s Uniform Commercial Code, which covers wire transfers.
Implications for the Jewelry Industry
This case highlights critical cybersecurity concerns for the jewelry industry, which often involves high-value transactions that could attract cybercriminals. The outcome might influence jewellers’ future banking and cybersecurity strategies, as well as expectations from financial institutions. It also underscores the necessity for strict cybersecurity training for employees to prevent phishing and other frauds.