They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York.
"It was a pretty sophisticated scheme," said Tim Carter, president of the Fort Worth-based bank.
The amount stolen is not yet known, he said, describing it only as "minimal." No depositors will lose money, he said.
Fewer than 100 accounts, some of them dormant, were compromised, all with a daily withdrawal limit of less than $1,000, he said.
After discovering the fraudulent activity last Friday afternoon, OmniAmerican placed temporary limits on some ATM and debit-card transactions and suspended some electronic banking services, which were restored Sunday, Carter said. At no time were customer deposits at risk, he stressed.
"We reduced by half the dollar amount that could be withdrawn and limited (access) to Texas. We cut out anything outside Texas," Carter said.
The unauthorized withdrawals were stopped Friday, and bank employees worked over the weekend to deal with the damage, he said.
The bank learned of the breach from customers inquiring about unusual activity in their accounts, from internal monitoring and from a law enforcement agency that Carter declined to name.
Letters alerting cardholders of the fraudulent activity were mailed Wednesday, the bank said.
OmniAmerican, which has 17 branches in Texas, also is issuing approximately 40,000 new debit cards as a safeguard against future fraudulent activity, Carter said. Each needs a revised personal identification number.
Martin Carmichael, the chief security officer at McAfee, a computer-security firm based in Plano, Texas, said this type of cyberattack has become "a commonplace occurrence," although some banks are reluctant to admit that their security has been breached.