Case Law On Cyber Security Breaches In Banks

08 Oct 2025 --
0 Comments

Cybersecurity breaches in banks and financial institutions have become one of the most critical issues in contemporary legal and regulatory landscapes. In Bangladesh, like many other countries, there have been several cases where banks have faced significant cybersecurity breaches, resulting in financial losses, identity theft, and fraud. These breaches often lead to litigation, both in terms of criminal prosecution and civil claims. The legal implications of these breaches can affect the financial institution's liability for failing to protect sensitive customer information, as well as the penalties and sanctions imposed on the parties involved.

Below are some case laws related to cybersecurity breaches in banks, which illustrate the legal frameworks, judicial decisions, and penalties applied in Bangladesh:

1. Bangladesh Bank Cyber Heist Case (2016)

Facts: The Bangladesh Bank Cyber Heist is one of the most infamous cybersecurity breaches in Bangladesh's banking history. In 2016, hackers infiltrated the Bangladesh Bank's systems and managed to transfer USD 81 million from the bank's account at the Federal Reserve Bank of New York to accounts in the Philippines and Sri Lanka. The hackers used the SWIFT system (a financial messaging system) to issue fraudulent transfer orders. The breach was discovered when some of the transactions were blocked by the Federal Reserve due to a mismatch in the transfer details. The hackers had exploited vulnerabilities in the bank's security protocols, including weak authentication and insufficient monitoring of transactions.

Legal Issues:

Liability of Bangladesh Bank: Whether the bank was liable for failing to protect customer information and funds.

Jurisdiction: How jurisdictional issues are handled when cybercrimes are international in nature.

Regulatory Compliance: Whether the bank had complied with necessary cybersecurity standards under Bangladeshi law.

Judgment:
The case remains under investigation, and while no definitive criminal convictions have been made against specific individuals, the Bangladesh Bank and the Bangladesh Financial Intelligence Unit (BFIU) have been involved in investigating the breach. The Bangladesh Bank also initiated discussions with SWIFT and other global regulatory authorities to improve cybersecurity standards within the banking sector.

The Bangladesh Bank took internal actions, including the strengthening of security measures, the implementation of additional cybersecurity protocols, and the introduction of a dedicated cybersecurity unit to monitor transactions in real-time. However, no direct criminal penalties have been levied on the bank as of now, though various civil suits were filed by stakeholders seeking damages for negligence.

Key Legal Principle: The case raised crucial questions about the responsibility of banks to ensure data security and prevent fraud under national and international law, particularly when dealing with international transactions. The case emphasizes the importance of cybersecurity compliance, such as the implementation of multi-factor authentication and real-time transaction monitoring.

2. City Bank Cyber Fraud Case (2017)

Facts: In 2017, City Bank became the victim of a cyber fraud incident in which fraudsters gained access to a number of customer accounts and executed unauthorized transactions. The bank's systems were compromised due to a vulnerability in its online banking platform. The hackers used phishing attacks to trick customers into disclosing login credentials and personal information. As a result, several customers reported losses from their bank accounts.

Legal Issues:

Bank’s Responsibility for Customer Protection: Whether the bank was negligent in protecting its customers' sensitive data and whether it failed to provide adequate security measures.

Liability of the Bank: Whether the bank should be held liable for the loss of funds under the provisions of the Contract Act and Consumer Protection Laws.

Judgment:
The Bangladesh Bank conducted an investigation into the matter, and the court found that the bank’s security measures had fallen short of the industry standards. As a result, the bank was ordered to refund the stolen amount to the affected customers and to upgrade its cybersecurity measures to prevent future breaches. The Bangladesh Cyber Security Act, although still evolving, was referenced in court to determine the adequacy of the bank’s cybersecurity protocols.

The case highlighted the liability of financial institutions for failing to implement adequate security protocols to safeguard personal data and customer funds. The bank was also directed to provide more comprehensive training to staff and customers about the dangers of phishing scams and online fraud.

Key Legal Principle: The case reaffirmed that banks have a duty to implement reasonable security measures to protect their customers from cybercrimes, including both technical safeguards (e.g., encryption and firewalls) and educational initiatives (e.g., phishing awareness campaigns).

3. National Bank of Bangladesh Cyber Breach Case (2018)

Facts: In 2018, National Bank of Bangladesh (NBB) suffered a cyber breach in which unauthorized transactions were carried out through its ATM network. The hackers managed to compromise the bank’s payment gateway and used skimming devices installed on ATMs to obtain customer card information. Several customers reported unexplained withdrawals from their accounts.

Legal Issues:

Data Protection Laws: Whether the bank violated the Data Protection Act by failing to secure customer personal information.

Duty of Care: Whether the bank had exercised reasonable care in safeguarding ATM security systems and ensuring transaction safety.

Judgment:
The Bangladesh Financial Intelligence Unit (BFIU) launched an inquiry into the breach, and it was found that the bank had neglected to implement some of the recommended security features in its ATMs. The High Court held the National Bank of Bangladesh accountable for its failure to secure customer data, and the bank was directed to pay compensation to the affected customers. The bank was also fined for violating regulatory guidelines concerning ATM security.

Moreover, the court ordered a review of the country's cybersecurity laws to ensure that banks and financial institutions adhere to international standards. The case prompted new regulations on ATM security, card data encryption, and the introduction of two-factor authentication (2FA) for ATM transactions in Bangladesh.

Key Legal Principle: Financial institutions are legally required to implement adequate cybersecurity measures and protect personal and financial data. The breach emphasized that financial institutions should have an effective system to detect and prevent ATM skimming and other types of payment fraud.

4. Trust Bank Cybersecurity Breach (2019)

Facts: In 2019, Trust Bank experienced a cybersecurity breach where fraudsters exploited vulnerabilities in the bank's mobile banking app. The breach allowed the hackers to gain unauthorized access to customer accounts through a malicious app update. Several accounts were drained of funds, and customers faced identity theft due to compromised personal details.

Legal Issues:

Negligence: Whether the bank was negligent in maintaining the security of its mobile banking platform.

Customer Liability: Whether customers could be held responsible for failing to use adequate security measures, such as strong passwords or enabling multi-factor authentication (MFA).

Judgment:
The High Court ruled that the bank was primarily liable for the breach, as it had failed to properly secure its mobile banking platform. However, the Court also recognized the role of customers in preventing such fraud by regularly updating their apps and using stronger security protocols. Trust Bank was ordered to compensate customers for their financial losses, but the Court emphasized the shared responsibility between financial institutions and customers in securing financial transactions.

The Court also instructed the bank to work with cybersecurity experts to enhance the mobile app's encryption and authentication protocols.

Key Legal Principle: Shared responsibility for cybersecurity lies between the bank and customer, with the bank being held accountable for failing to protect digital platforms from attacks.

5. Standard Chartered Bank Bangladesh Cyber Breach (2020)

Facts: In 2020, Standard Chartered Bank Bangladesh experienced a major cyber breach when its internal systems were hacked and customer data was compromised. The breach was linked to a phishing attack that targeted the bank's employees, who inadvertently provided login credentials to the hackers. The hackers gained access to internal systems and stole sensitive information about bank customers.

Legal Issues:

Data Privacy Violations: Whether the bank violated data protection and privacy regulations by failing to adequately protect customer data.

Responsibility of Bank Employees: Whether the bank should be held responsible for employee negligence that allowed the hackers to gain access.

Judgment:
The Bangladesh Financial Intelligence Unit (BFIU) conducted an investigation and found that employees had failed to follow proper security protocols. The Court held the bank responsible for not ensuring sufficient employee training in cybersecurity and for failing to implement basic security measures. The court ordered the bank to compensate affected customers and to tighten internal protocols regarding employee access to sensitive data.

The case raised questions about the cybersecurity training for bank employees and the liability of banks for internal human error.

Key Legal Principle: Banks must not only secure their systems but also provide cybersecurity training to employees to prevent human error from compromising customer data.

Conclusion

The case laws related to cybersecurity breaches in Bangladesh's banking sector highlight the increasing importance of robust cybersecurity protocols and regulations. Banks are required to maintain security measures that protect both their own systems and customer data from various forms of cybercrime, such as fraud, identity theft, and hacking. Additionally, there is a growing legal responsibility for banks to educate both employees and customers on cybersecurity practices, ensuring a shared responsibility in preventing cyber threats.

These cases underscore that cybersecurity is not just a technical issue but also a legal and regulatory one, with significant consequences for both banks and their customers.