NEW HAVEN, Conn.–Cencap Federal Credit Union has filed a lawsuit against Fiserv alleging significant deficiencies in the company’s data security practices.
The complaint, filed in the United States District Court for the District of Connecticut, alleges Fiserv’s Virtual Branch online banking platform and the Client360 portal used by credit unions to open support tickets with Fiserv lack basic security controls that make them vulnerable to hackers.
The credit union is also challenging Fiserv’s multi-million-dollar early termination fee, alleging it functions as an unlawful penalty designed to punish institutions that seek to leave when problems arise.
The $38.5-million credit union is being represented by Charles Nerko, who leads the Data Security Litigation team at Barclay Damon LLP. Nerko has previously represented four other credit unions in litigation against Fiserv.
‘Oversight & Accountability’
“Given NCUA’s lack of authority over third-party vendors, credit unions themselves play a vital role in maintaining public trust, reducing third-party risks, and holding vendors to appropriate standards,” Nerko said in a statement to The CU Daily. “We hope this case contributes to broader conversations across the credit union movement about vendor oversight, accountability, and fair contracts.”
In the complaint, Cencap alleges that Fiserv “promised world-class cybersecurity but delivered insecurity and dangerous deception.
“Rather than safeguarding sensitive financial data, Fiserv’s flawed online banking platform and ticketing system routinely exposed over 9,000 credit union members to fraud, identify theft, and compromise,” the complaint continues. “Despite knowing its platforms were insecure, Fiserv chose profits over protection. This action holds Fiserv accountable for breaching its fundamental duties to safeguard the extraordinarily sensitive information entrusted by its financial institution customers, and seeks redress for those harmed by its misconduct.
‘Longstanding Problems’
“While Fiserv markets itself as a leader in financial institution technology committed to data security, its ‘Virtual Branch’ online banking platform and Client360 portal suffer from longstanding security problems,” the complaint further alleges.
According to the complaint, even after Fiserv was sued by its other financial institution customers in 2019 and again in 2022 for not implementing proper security controls on the Virtual Branch online banking system, the company continued neglecting security problems.
“To Fiserv, it was more important to keep its security problems under wraps than to invest in fixing security holes that potentially threatened scores of financial institutions and customers,” the lawsuit alleges.
The lawsuit further alleges that Fiserv locks financial institutions into long-term contracts and attempts to “intimidate and silence its customers from disclosing to other affected customers when there are security problems, and holding customers’ data hostage when those customers seek to go to competitors.
‘Shockingly Easy’
Cencap FCU is alleging that account takeover on Fiserv’s systems is “shockingly easy,” saying criminals can “hijack” online banking accounts with just “three pieces of easily obtained information”:
- Street address number (publicly known and visible on any piece of mail)
- Account number (printed on every check)
- Social Security number (available through data breaches or simple guessing).
“Once criminals obtain this basic information, they can take over online banking accounts for legitimate members and drain their funds without detection,” the suit alleges. “Contrary to contractual requirements and industry standards, Fiserv never required multi-factor authentication to protect the new account enrollment process.”
Additional allegations include:
‘Inadequate Login Protection’
In addition, the suit alleges that protection around log-ins is not up to par.
“After a Virtual Branch account is created, the system will sometimes ask for an answer to a security question, in addition to a username and password,” the suit states. “However, since the original process of establishing the security questions is itself insecure and devoid of multi-factor authentication, this security control is illusory.”
Vulnerable Support Systems
According to the filing, Fiserv’s Client360 portal, where Cencap Federal submits service requests containing confidential information, “uses the same weak username-and-password login, and omits multi-factor authentication. Criminals who access this system can manipulate banking settings and steal confidential data.”
Intervention Sought
This lawsuit is seeking immediate court intervention to “protect Cencap Federal’s 9,000 members from ongoing security risks, full compensation for damages caused by Fiserv’s insecure service, disgorgement of all profits Fiserv earned while failing to deliver promised protections, a declaration that Cencap Federal owes no termination fees to a vendor that breached its fundamental duties, and punitive damages.”
The 48-page filing includes additional information and details around the allegations made in the suit.
The CU Daily has contacted Fiserv for a response.
