WHITE PLAINS, N.Y. — Another credit union has filed a lawsuit against Fiserv that alleges the company failed to safeguard sensitive member financial data, misrepresented its cybersecurity practices and corrupted core account records.
The suit was filed in U.S. District Court for the Southern District of New York by the $56-million Educational & Governmental Employees Federal Credit Union, which is alleging Fiserv and its subsidiary, Fiserv Solutions LLC, breached contractual obligations and engaged in fraud by providing inadequate security controls while claiming compliance with industry standards.
Representing the credit union in the case is lead counsel Lori Feldman of Hecht Partners. Co-counsel is Charles Nerko, managing partner of NERKO PLLC, a law firm formed to represent credit unions in disputes with third-party vendors, Nerko is representing numerous other credit unions in similar litigation against Fiserv, as the CU Daily has reported.
The credit union, which serves more than 6,300 members in Westchester County, said it relied on Fiserv’s systems to process and store highly sensitive member data, including Social Security numbers, account balances and transaction histories.
Allegations of Weak Cybersecurity
Similar to other litigation, at the center of the complaint are allegations that Fiserv failed to implement basic cybersecurity protections—particularly multi-factor authentication (MFA)—despite representing that such safeguards were in place and aligned with federal standards.
The lawsuit claims that, instead of robust protections, Fiserv relied on weaker measures such as email or text-based passcodes, which federal guidance considers insufficient for securing financial systems.
“Fiserv sold and operated systems that were so insecure that no regulated financial institution should have been asked to run its confidential data through them,” the complaint states.
The credit union further alleges that some systems lacked MFA entirely, exposing member data to heightened risk of unauthorized access and fraud.
Claims of Data Integrity Failures
In addition to security concerns, the lawsuit alleges that Fiserv’s systems failed to properly process and reconcile transactions, leading to inaccuracies in the credit union’s books and records.
According to the complaint, improperly processed transactions “corrupted” account records, creating operational and regulatory risks that cannot be remedied by monetary damages alone.
Because Fiserv controls the underlying systems and data, the credit union argues that only the company can fix the alleged errors—prompting a request for court-ordered specific performance, the lawsuit alleges.
Exit Fees and “Hostage” Claims
The lawsuit also accuses Fiserv of effectively locking clients into its platform through steep termination and “deconversion” fees, which the credit union said could reach seven figures.
Educational FCU claims Fiserv is “monetizing its own security failures” by forcing customers to either remain on allegedly insecure systems or pay substantial fees to leave.
Broader Pattern Alleged
The complaint cites prior litigation and public reporting to argue that the alleged conduct reflects a broader pattern. It references earlier lawsuits by other credit unions and reports of security flaws affecting financial institutions using Fiserv systems.
The credit union alleges Fiserv knowingly concealed security deficiencies, delayed fixes until public scrutiny and discouraged clients from sharing information about vulnerabilities.
Legal Claims
Educational FCU is bringing multiple claims, including breach of contract, fraud, unjust enrichment and violations of the federal Defend Trade Secrets Act. It is seeking monetary damages, rescission of its contract, declaratory relief voiding certain fees, and a court order requiring Fiserv to implement stronger security controls and correct account records.
The lawsuit also seeks punitive damages, alleging the company acted with “willful, wanton, and reckless disregard” for the security of financial institutions and their members.
Ongoing Risk Alleged
The complaint claims that the risks are ongoing, not hypothetical, warning that continued use of the systems could expose members to identity theft, fraud and long-term harm.
“As long as those systems remain inadequately secured, Educational FCU’s systems remain unsecured,” the filing states.
Fiserv Responds
“The claims against Fiserv fundamentally mischaracterize our Credit Union business and our longstanding commitment to protecting our clients,” Fiserv said in a statement to the CU Daily. “Our policies and practices are designed to deliver effective information security programs tailored to each client’s business, member preferences, and other needs. The features of these programs are detailed in comprehensive written agreements between Fiserv and its clients, something that these claims ignore. We look forward to successfully defending ourselves in court.”
