A New York federal judge told JP Morgan Chase Bank this week that he would not toss a lawsuit accusing the bank of ignoring red flags when cybercrooks stole $272 million from the New York account of the company that makes Ray-Bans in 2019.
In an opinion and order filed on Wednesday [PDF], US District Judge Lewis Liman dismissed claims that JP Morgan breached its contract and was negligent, but said that the Thai manufacturing subsidiary of international eyewear company EssilorLuxottica, Essilor Manufacturing (EMTC), can continue with a claim under New York contract law requiring banks to refund unauthorized payment orders from a customer.
He dismissed a claim under the same law by its international parent firm, as well as common law claims for both, although Judge Liman said the companies could file an amended complaint with redrafted breach of contract claims.
In the original complaint [PDF], the sunglasses maker said crooks made a total of 243 fraudulent payments, altogether pulling out a cool $272.151 million from EMTC’s New York account with JP Morgan. The money was deposited into various straw man accounts and shell entities throughout the world, the complaint added.
The filing also outlined a situation that most non-JP-Morgan-account-having readers will be unfamiliar with: Essilor claimed that “from mid-September 2019 until mid-December 2019, EMTC repeatedly exceeded its daily overdraft limit, but Chase didn’t contact EMTC or Essilor.” Daily transfers from the NY account were supposed to be capped at $10 million, but sometimes exceeded this “by more than $20 million,” the complaint added.
Could happen to any of us, right?
JP Morgan had earlier claimed, in its attempt to get the lawsuit dismissed, that Essilor couldn’t maintain a claim against it under New York law “because it was not the ‘sender’ of the payment orders and thus cannot obtain a refund.” In this week’s order, the court also declined to dismiss the complaint as “time barred.” The bank said in a July 2022 motion [PDF] that the manufacturer filed the suit in April 2022, more than two years after the last fraudulent wire transfer in December 2019. It claimed the account terms EMTC had signed meant this was too late. It also claimed: “EMTC failed to detect the fraud over the four months it was being committed – failing to account along the way for more than a quarter billion dollars.”
The complaint explains that Essilor was able to recover all but $100 million of the transfers, purloined in what was described as a “complex fraud orchestrated by international cybercriminals.”
Just months after the transfers took place in 2019, Essilor said it had been the victim of a cyberattack on its group servers and computers, and claimed to have isolated the infected servers and installed software patches “with the support of leading external antivirus experts.” A spokeswoman with the Franco-Italian eyewear group told Reuters at the time: “The malware is a new type of virus. Essilor took immediate action… to prevent the spread of the malware.”
There doesn’t appear to be any connection between the theft and the attack.
JP Morgan declined to make a statement about the order handed down this week. We have asked Essilor for comment.
Paris-listed EssilorLuxottica co-launched augmented reality glasses with Meta in September 2021 that the pair dubbed Ray‑Ban Stories. Here’s a video of Mark Zuckerberg modeling the shades (you’re welcome), which, as The Reg reported, were slated to appear in real-world stores last year. We haven’t tried them and don’t know what they’re like from the wearer’s point of view, but, like all sunglasses, the hope is that they allow onlookers to believe there’s a spark of life behind the user’s dead eyes. ®