Woman Sues FirstBank Over $10K Account Breach; Bank Says Transactions Were Made Using Her Card

The lawsuit alleges FirstBank failed to flag suspicious activity, resulting in hackers draining $10,476.86 from the plaintiff’s account. FirstBank contends the transactions were made with the plaintiff’s card, in locations she had previously used it

  • Janeka Simon
  • September 13, 2024
comments
23 Comments

Firstbank's Orange Grove branch on St. Croix. Photo Credit: ERNICE GILBERT, V.I. CONSORTIUM

A woman is suing FirstBank after claiming that hackers drained her account using suspicious, unauthorized transactions that she said went unflagged by the financial institution.

The civil complaint, alleging breach of contract, negligence, and Electronic Fund Transfer Act (EFTA) violations, was filed by New York resident Gladys Harrigan, who named both FirstBank Puerto Rico and its FirstBank Virgin Islands subsidiary as defendants.‌

According to the lawsuit, Ms. Harrigan said she opened a FirstBank savings account with the VI branch, and received a chipped ATM card. She claims that weak security procedures implemented by the bank, “such as single-factor protocols relying on usernames and passwords,” make accounts “readily susceptible to breach by scams such as phishing or SIM swaps.”

An account breach is exactly what Ms. Harrigan claims happened to her. Over the course of 10 days in November, over 30 unauthorized transactions were made ranging in value from $1.63 to $483.50, seemingly at ATMs and stores around Brooklyn and the Bronx, as well as via electronic transfers and purchases. In total, Ms. Harrigan says the thieves drained $10,476.86 from her FirstBank account. “The transactions were small enough and of similar amounts to go through undetected, a known tactic used by hackers and cybersecurity criminals,” the lawsuit states.‌

Ms. Harrigan contends that this activity was unusual for her account, which had never shown so many small withdrawals in such a compressed timeframe. Neither had her account been completely emptied before. “Either the Defendants had no cybersecurity measures, or the cybersecurity measures they did have were inadequate or non-functional,” the lawsuit alleges. She never received any alerts or notifications from FirstBank regarding the suspicious transaction, Ms. Harrigan says. She only became aware that something was wrong when she tried to use her card at an ATM and was denied access to the account.‌

After contacting the bank to inquire about the problems she had experienced accessing her account, Ms. Harrigan says she was surprised to learn that her PIN had been changed, and that her account balance was now a mere $13. She claims that she had never changed her PIN, and had been using the same one she was assigned by the bank after first receiving her card. “Expecting her account to contain a balance exceeding $10,000, Plaintiff was immediately distraught and demanded a thorough investigation,” the complaint alleges. Nevertheless, she was ultimately persuaded to order a new card instead of closing the account completely.

A conversation with the bank’s security department proved deeply satisfying, as Ms. Harrigan says representatives insisted that someone must have physically taken her card and used it, despite her insistence that the card remained in her possession and was rejected at the ATM when she tried to use it.

In early January 2024, the bank wrote to Ms. Harrigan listing the unauthorized transactions as well as two authorized transactions, and telling her that no error had occurred with the transactions being queried.

A final unauthorized transaction dated December 4 showed up on Ms. Harrigan’s January statement. On that date, she says, she either lacked access to her account or was awaiting a new card to be delivered.

Ms. Harrigan once again requested an investigation into these transactions, this time by letter dated February 9. She also requested a refund under the EFTA. On March 1, the bank responded, rejecting her request. “[T]he referenced withdrawals were executed through ATM machines and in-person purchases (POS), using a Visa Debit Card equipped with chip, which couldn’t be cloned. Regarding the interview, the client always had the VISA card in her power,” the letter stated.

She again asked for an in-depth investigation, but says she continued to be stonewalled by FirstBank. That’s when Ms. Harrigan decided to make a report with the Virgin Islands Division of Banking and Insurance, as well as file a claim with the Federal Deposit Insurance Corporation, which was transferred to the Consumer Financial Protection Bureau. Nevertheless, FirstBank remained resolute, standing by their original determination that a chipped debit card was physically present for all the queried transactions, “and the payments were made contactless.” The bank also pointed out that the transactions flagged by Ms. Harrigan were made in the same area as some transactions that she did not object to. There was no discussion of Ms. Harrigan’s claim that her PIN had been changed without her knowledge, and that when she tried to use the card that was issued to her, she was denied access to her account at the ATM.

Her complaint accuses FirstBank of violating the EFTA by among other things “failing to conduct a timely, reasonable, thorough, good-faith investigation” into Ms. Harrigan’s claims, failing to investigate and resolve her claim in the timeframe stipulated by the Act, and failing to provide her “with a clear explanation of their investigative process, the evidence considered, or the rationale for their determination,” also required by the law. She also accuses the bank of breach of contract, breach of good faith and fair dealing, negligence, wrongful denial of access, and intentional infliction of emotional distress.

She is asking the court to award her actual, statutory, compensatory and punitive damages, along with pre-and post-judgement interests and costs, including attorney’s fees. As of press time, FirstBank had not yet filed a response to Ms. Harrigan’s complaint.

Get the latest news straight to your phone with the VI Consortium app.