Amid the fallout of a cybersecurity breach, Patelco Credit Union faces at least four lawsuits over its alleged failure to adequately secure customer information including Social Security numbers and driver's license numbers.
The credit union, based in Dublin, California,
According to the four lawsuits against Patelco filed by various members, each filed in U.S. District Court in the Northern District of California, the credit union sent members notifications about the data breach starting June 30. However, the lawsuits also allege that the credit union has not disclosed what data had been stolen.
The $9.8 billion-asset Patelco has not yet filed a response to any of the complaints, the earliest of which was filed July 1. A spokeswoman for the credit union declined to comment on the lawsuits.
"We're completely focused on getting back up and running right now and making sure our members are supported throughout the process," the spokeswoman for Patelco said.
The attack knocked out online banking, mobile banking and the call center at Patelco Credit Union.
The members suing the credit union allege that the cybercriminals stole data including members' names, dates of birth, addresses, Social Security numbers, driver's license numbers and financial account information. Each of the lawsuits also say that Patelco stored this information in an unencrypted form. One lawsuit claims that, had the plaintiff known about Patelco's "lax data security," he would not have provided his personal information to the credit union.
To support these claims that members' personal information was stolen, one lawsuit claims that a member's credit card was registered at an e-commerce site without his authorization. Some of the lawsuits claim members have experienced a significant increase in spam emails.
"[Patelco] knew that an unauthorized person had acquired the personal, unencrypted information of [credit union members] but has thus far not provided direct notice,"
Plaintiffs in the case are seeking unspecified monetary damages and asking the court to require Patelco to implement better cybersecurity practices.
To date, Patelco has provided updates on what banking functions are and are not available to members, but it has not publicly confirmed whether the ransomware attackers stole members' data.
Since the ransomware attack began, Patelco members have not been able to view their account balances nor access their accounts via mobile or online banking, according to the credit union.
Patelco CEO Erin Mendez said Tuesday that the credit union's infrastructure is "stable and secure," adding that the credit union is catching up on processing transactions by recording ACH, checking transactions on accounts and transactions recorded in-person at branches.
"We expect to make 50% progress on this task by tomorrow and are expecting to be completely caught up by the end of the week," Mendez said on Tuesday. "Once that happens, we will be able to confirm the date when you will be able to access your accounts."
As of Thursday, the credit union had not provided an update on its progress catching up on transactions.
In the meantime, members have been able to deposit and withdraw money via other methods, such as checks, bill pay, Venmo and PayPal. However, debit and credit card payments are limited, members cannot use Zelle and adding and editing automated bill payments is unavailable. Additionally, ATM withdrawals are currently limited to $500 per day.
