I call it punishment because I don't think the attack was really sophisticated, I think USAA's internal training and software was wholly inadequate to defend against a persistent unsophisticated attacker. Why were they still routing his calls to regular bank tellers after the first couple attempts? Why wasn't the security department involved at that point as the only allowable contact point? Why did they actually hand out the login name and password for an account without doing the 10 minute deep-dive identity verification they now make my wife do?