InfoSecBulletin Cybersecurity for mankind
Athanasios Rantos, Advocate General of the CJEU, said that banks should quickly refund account holders for unauthorized transactions, regardless of the account holders’ fault.
The opinion was issued in response to a request for a preliminary ruling submitted by the District Court in Koszalin, Poland, in a dispute between the PKO BP S.A. bank and one of its customers.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
The case involved phishing fraud where a customer listed an item for sale on an auction site and was contacted by a fraudster who sent a malicious link mimicking the bank’s login page.
The customer shared their bank details on a site, and a fraudster used that information to make an unauthorized payment.
The victim reported the transaction to the bank and police the next day, but the fraudsters were not caught, and the bank denied the refund. In response, the customer sued the bank.
The dispute arose because the bank argued it could deny the refund if the customer’s negligence caused the loss.
Rantos claims that according to the EU Payment Services Directive (2015/2366/PSD2), banks must issue immediate refunds to victims unless they have valid reasons to suspect fraud.
“Advocate General Athanasios Rantos considers that EU law requires the bank, as a first step, to refund immediately the amount of the unauthorised transaction, unless it has good reason to suspect fraud, which it must communicate in writing to the competent national authority,” reads the CJEU press release.
The process doesn’t stop there; banks can still recover losses from customers if they show evidence of gross negligence or intent that led to the security breach.
“If the bank establishes that the customer has failed, intentionally or through gross negligence, to fulfil one of the obligations relating, in particular, to personalised security data, it may require the customer to bear the corresponding losses,” reads the AG’s opinion.
“If the customer refuses to reimburse the amount of the unauthorised transaction, it is up to the bank to take legal action against that person to obtain payment.”
This opinion is not a CJEU ruling; it suggests the court’s possible direction. The AG’s opinion is a legal recommendation for the CJEU judges, but the final ruling will be binding on all EU courts.
