Court Orders Banco de Galicia to Pay Ample Damages for Security Lapses

In a critically important victory for consumer rights, two customers in Goya, Argentina, have successfully sued Banco de Galicia and Buenos Aires S.A.over unauthorized transfers and fraudulent loans. Teh Civil, Commercial, and Labor Appeals Chamber of Goya ruled in favor of the plaintiffs, ordering the bank to pay a total of $1,466,500 in damages.

The Anatomy of the Fraud: Phishing and Security Vulnerabilities

The case highlights the growing threat of cybercrime and the responsibility of financial institutions to protect their customers. The plaintiffs fell victim to what appears to be a sophisticated phishing scheme. Despite following the bank’s recommendations to change their usernames and passwords after detecting the initial unauthorized transfers, a loan was illicitly approved in their account.

Between April 12 and 14, 2021, loans totaling $2,477,020 were credited to the account and later annulled. investigations revealed that unauthorized transfers were made to third parties, prompting the initial complaint of “phishing.”

Judges Criticize Bank’s Lack of Cooperation and Security Shortcomings

The court strongly criticized Banco de Galicia for its reluctance to provide crucial details and evidence that could have clarified the situation. Judges gertrudis Márquez,Liana aguirre,and Jorge Muniagurria emphasized the bank’s failure to maintain adequate security measures,stating:

The consistent circumstances and alien to discussion in the case include the bank’s conduct in relation to unauthorized transfers and the lack of security in his system,as well as the attitude of the plaintiff when presenting evidence and his collaboration in the process.
Judges Gertrudis Márquez, Liana Aguirre, and Jorge Muniagurria

This lack of clarity, the judges argued, further eroded the victims’ trust in the institution.

Breakdown of Damages Awarded

The total compensation of $1,466,500 was divided into three categories:

• Patrimonial Damage: $66,500 for the unauthorized transfers themselves.
• Extrapatrimonial Damage: $500,000 for the psychological distress caused by the ordeal.
• Punitive damage: $900,000 for the bank’s legal breaches and failure to uphold its security obligations.

Bank’s Defense Fails to Convince the Court

Banco de galicia attempted to deflect responsibility by arguing that the transfers were made using the account holder’s credentials. However, the court found this defense unconvincing, noting that the bank failed to provide sufficient evidence to support its claims, thereby violating its duty to provide information to its customers.

While the bank claimed to have followed security protocols by instructing the customer to change their credentials, this action proved insufficient to prevent the cyberattack.

Expert Testimony Confirms Phishing Attack

A computer forensics expert testified that the plaintiffs were indeed victims of phishing, as there were no records of access to their online banking accounts from their personal devices. This testimony, combined with screenshots of the bank’s security measures and an employee’s description of standard procedures in similar situations, further strengthened the plaintiffs’ case.

Punitive Damages: A Deterrent Against Future Negligence

The imposition of $900,000 in punitive damages is particularly noteworthy. Punitive damages serve as a civil fine levied against a supplier who violates their legal or contractual obligations to consumers. The aim is to punish egregious behavior and deter future misconduct. the court emphasized that this type of damage is separate from other forms of compensation and is resolute based on the severity of the offense and the specific circumstances of the case.

This ruling sends a clear message to financial institutions: they must prioritize cybersecurity and take responsibility for protecting their customers from online fraud. As cybercrime continues to evolve, banks must invest in robust security measures and be transparent in their dealings with customers who fall victim to these attacks. According to recent reports, cybercrime is on the rise globally, making this ruling all the more relevant.