California financial watchdogs hit Patelco with $100,000 fine

Six months after Patelco Credit Union was hit with a ransomware attack, the California Department of Financial Protection and Innovation slapped a $100,000 penalty and consent order against the credit union for the cybersecurity breach. 

The $9.8 billion-asset credit union based in Dublin, California was hit with a ransomware attack in late June of last year, affecting its 500,000 members. Hackers were able to access personally identifiable information about a significant number of members including birth dates, home addresses, Social Security numbers, driver's license numbers and financial account information.

"Last summer's cybersecurity breach at Patelco adversely affected hundreds of thousands of credit union members," said KC Mohseni, acting DFPI commissioner. "They were locked out of their accounts for weeks and their personal information was compromised. This Department is committed to holding accountable companies that do not adequately protect their customers' data."

The order instructs Patelco to bolster its cybersecurity to be in compliance with state and federal requirements. The credit union is additionally instructed to retain an independent compliance consultant and report cybersecurity updates to the DFPI. 

The June 29 attack completely knocked out the credit union's mobile and online banking capacities as well as its call center. The bank proactively shut down banking systems making it impossible for consumers to issue electronic transactions including transfers (like Zelle), direct deposit, balance inquiries and payments. Debit and credit cards were only available in a limited capacity. 

Nearly two weeks later, members were still unable to do many basic functions. Multiple lawsuits were filed against Patelco for failing to secure customer information. At the time, these lawsuits alleged the credit union had not disclosed exactly what data had been stolen from which customers. 

In a statement, Erin Mendez, president and CEO of Patelco, said the credit union has been working closely with the California DFPI to address their questions and reach a resolution.

"As part of this resolution, we are implementing enhanced measures to further strengthen our cybersecurity program — many of which are already underway," Mendez said. "These proactive steps underscore our unwavering commitment to transparency, protecting our members' information and privacy, and continuously improving our systems to prevent future incidents. By investing in these improvements, we reaffirm our dedication to resilience and the trust our members and community places in us."