A California oil company that lost thousands after being attacked by hackers has won $350,000 in a legal settlement after suing its bank.

TRC Operating Co. Inc, an oil production company from Taft, California, sued the Fresno-based United Security Bank, claiming that the bank has failed to adequately secure its accounts.

In November 2011, TRC was the victim of a hack that lasted five days, and saw hackers seize control of its bank accounts, stealing nearly $3.5 million. The money was transferred out of the company’s accounts in twelve separate wire transfers, all to accounts in Ukraine.

United Security was able to block or recall eleven of the twelve wires, leaving one transfer worth $299,000 that got through. TRC still sued the bank, arguing that the simple “username and password” security offered by the bank was insubstantial.

United Security hit back, claiming that as the hack took place on one of TRC’s computers, it was their responsibility. It emerged that a TRC employee was victim to a phishing scam, and had malware on his computer that allowed ‘web inject’ code to be inserted into his browser.

Web inject malware is designed to target online banking sites, and manifests in the form of pop-up windows prompting for extra user information and personal details. These are stolen, and used by the hackers to change access to bank accounts, contact email addresses and authorized users.

Before the case could come to trial, United Security’s insurance company agreed to settle out of court with TRC, neither firm admitting fault. The $350,000 settlement is the maximum permitted under California law – the original amount stolen plus interest.

Julie Rogers, the San Jose attorney representing TRC, said that “Under the California Commercial Code, that’s all we’re entitled to. The law is written to the advantage of financial institutions…[we can’t claim] punitive damages or attorney fees.”

Dennis Woods, United Security CEO, said that TRC had a duty to keep its data private. “If you don’t give away your confidential info and identity, you don’t get hacked… None of our other customers were hacked. They never hacked the bank – he gave away his ID to a third party.”

TRC is not the first California cybercrime victim to successfully pursue legal action to recover its losses. In 2012, Village View Escrow Inc. was awarded $400,000 from Professional Business Bank for a case run on similar lines. The same law firm – Dincel Law Group – has represented the claimants in both cases, arguing both time that the banks’ security was lacking.