NEW HAVEN, Conn.– Cencap Federal Credit Union has successfully obtained a court order requiring expedited discovery from Fiserv as part of a lawsuit related to the company’s alleged data security shortcomings and the CU’s desire to have its early termination fee waived.
As the CU Daily was first to report here, the complaint, filed in the United States District Court for the District of Connecticut, alleges Fiserv’s Virtual Branch online banking platform and its Client360 portal used by credit unions to open support tickets with Fiserv lack basic security controls that make both vulnerable to hackers.
The $38.5-million credit union is alleging that hacking Fiserv’s Virtual Branch online banking system “shockingly easy,” and that criminals can “hijack” online banking accounts with just three pieces of easily obtained information: a member’s street address number, account number, and Social Security number.
Account Takeover
“Once criminals obtain this basic information, they can take over online banking accounts for legitimate members and drain their funds without detection,” the suit alleges. “Contrary to contractual requirements and industry standards, Fiserv never required multi-factor authentication to protect the new account enrollment process.”
Now, in the wake of the filing of the lawsuit, Judge Vernon D. Oliver has granted Cencap FCU’s request for expedited discovery and ordered Fiserv to produce the discovery within 60 days.
‘All Appropriate Legal Actions’
“The credit union will continue to take all appropriate legal actions to ensure its member information is protected, as well as to enforce all of its rights and remedies against Fiserv, including challenging its early termination fee,” Charles Nerko, the attorney representing Cencap FCU, said in a statement.
Nerko leads the Data Security Litigation team at Barclay Damon, LLP and has previously represented four other credit unions in litigation against Fiserv.
As the CU Daily also reported earlier, Cencap FCU is further asserting in its action that Fiserv has sought to levy an early termination fee “in the millions,” despite the alleged security issues.
‘Two False Premises’
In its reply memorandum filed with the court, Cencap argues that “Fiserv’s opposition rests on two false premises: that the security threat Cencap Federal identified is speculative, and that Cencap Federal has received what it contracted for. Both are wrong.
“What Fiserv’s opposition conceals is that in August 2024, another credit union that used the identical Virtual Branch enrollment authentication process as Cencap Federal suffered a data breach when an unauthorized individual used publicly obtainable information of a member to enroll in online banking and take over that member’s account….,” the reply alleges “Fiserv was notified of this breach, and, at that credit union’s request, fixed the security problem by implementing multi-factor authentication at Virtual Branch enrollment.”
That other credit union, according to the reply memo, is Portland Local No. 8 FCU, which was hit by a hacker group in August 2024. The reply includes an affidavit from Aporoniano “Jon” Labonite, president and CEO of Portland Local 8.
Single-Factor Authentication
Cencap Federal stated in its filings that at present only a single piece of information, such as an account number or Social Security Number, is currently needed for someone to access its systems. It is the same level of security that was breached at Portland Local 8 FCU, Cencap alleges.
“Despite knowing about this proven hacking opportunity—and having already fixed it for another credit union by implementing multifactor authentication (exactly what Cencap Federal seeks on this motion)–and despite knowing that every other credit union using the same Virtual Branch enrollment authentication process remains equally exposed, Fiserv, in its opposition recites a list of generic security features with impressive sounding names, hoping to convince this Court that its system is secure,” the plaintiff’s reply memo continues.
‘Borders on the Absurd’
The reply further states, “Next, Fiserv’s argument that because the line item ‘multi-factor authentication’ in the parties’ agreement is not further defined in the Master Agreement, it must simply refer to whatever security features Cencap Federal already has…That position borders on the absurd. ‘Multi-factor authentication’ has a plain and well-established meaning in the technology industry that Fiserv, one of the largest vendors of banking technology, cannot credibly feign ignorance about. Fiserv’s own website publishes articles to educate its customers on what ‘multi-factor authentication’ means.
“…Clearly, Fiserv understands not only what multi-factor authentication is (or is not), but also the contexts in which stronger forms of multi-factor authentication are appropriate,” the reply continues. “Yet Fiserv now claims that it has no idea what the parties intended when they agreed to have ‘multi-factor authentication’ implemented for Cencap Federal’s Virtual Branch, and retroactively defines ‘multi-factor authentication’ to mean something entirely different…”
A ’Red Herring’
The credit union is further arguing that Fiserv’s statement that it is only bringing the motion “as a tactic to avoid paying a termination fee” is a “red herring.”
“Cencap Federal is not asking this Court to impose a new or untested security control. It is asking Fiserv to implement a protection that Fiserv has already acknowledged as necessary, already configured within its own systems, that Cencap Federal has already paid a fee for, and that Fiserv already deployed for at least one other credit union using the same Virtual Branch online banking system,” the reply memo reads.
Importance of Vendor Management
“It’s now more important than ever for credit unions to audit their vendors and ensure they are appropriately protecting member information,” said Nerko in a statement. “The legal process is an important tool for credit unions to obtain accountability, protection, and compensation when a vendor fails to provide what it promised.”
Fiserv Responds
In response to an inquiry from the CU Daily, Fiserv said in a statement related to the court ruling, “Fiserv is pleased with the decision and will continue to defend itself in this action.”
Considerable Discussion
A post on LinkedIn by the CU Daily following the original report on the filing of the suit led to considerable response and discussion among credit unions, and can be found here.
