Members File Six Lawsuits Against a California CU Over Data Breach

Six class action lawsuits were filed over two weeks by members of the $1.3 billion Ventura County Credit Union (VCCU) in Ventura, Calif., for a data breach that affected nearly 82,000 people. In addition, members of the $2.3 billion HawaiiUSA Federal Credit Union in Honolulu filed a federal lawsuit over its data breach that impacted more than 20,000 persons.

Kelly Sawyer, Brian Griffen and Trevor McCarthy each filed their separate lawsuits at Ventura County Superior Court on July 19, less than two weeks after they received a notice about the breach on July 6. Three more lawsuits were filed by Tony Van Wilpe on July 20, Robert Araujo on July 31 and Lee Likens on Aug. 2.

In addition to alleging that VCCU violated a variety of California and federal laws, members questioned why it took the credit union more than six months to notify them about the data breach, which happened in the latter part of 2022.

According to a VCCU data breach notification that it filed with the Attorney General’s Office in Maine, where it has 10 members, the breach compromised personal identifying information, and financial account numbers or debit and credit card numbers in combination with security codes, access codes, passwords or PINs. The credit union serves 74,562 members, according to the NCUA.

VCCU said in a form letter mailed to the 81,900 people affected by the breach that it became aware of suspicious activity in certain employee email accounts on Dec. 14, 2022. The credit union said it immediately launched an investigation with the help of a third-party forensic specialist. The investigation determined there was unauthorized access to certain VCCU email accounts from Oct. 20, 2022 to Dec. 15, 2022.

“Therefore, we reviewed the contents of the affected accounts to determine what, if any, sensitive information they contained. On June 7, 2023, VCCU’s review determined that the affected accounts contained certain information related to you (the member),” according to the credit union’s letter filed with the California Attorney General’s office.

But the lawsuits questioned why VCCU waited more than six months, from December when the breach was initially suspected, to the disclosure of the data breach in the credit union’s notification letter dated July 6 mailed to members.

“VCCU’s data breach notice contained cursory information about the breach and VCCU has continued to provide few, if any detailed specifics about the breach to the public and/or individuals impacted,” Griffen’s lawsuit said.

What’s more, Sawyer’s lawsuit pointed out that the VCCU notification letter did not explain why it took the credit union nearly two months to detect the unauthorized access to VCCU email accounts from October to December.

When reached last week, VCCU provided an explanation as to why it took more time to notify those who were affected by the breach.

“Unlike a breach within a financial information processing system which, once identified, can be more readily assessed for scope and disclosure, our forensics required a time-consuming and largely manual review of communications in impacted inboxes,” VCCU said in a prepared statement. “When the forensic review completed the identification of impacted individual information, we disclosed that in a timely manner.”

VCCU also said the phishing attack was limited in scope to its Microsoft Outlook program.

But as VCCU members argued in their lawsuits, from December when the breach was originally detected until July 6 when they received the notification letter from VCCU, bad actors were most likely using the stolen members’ personal and financial information to commit crimes.

Although none of the members reported they lost money from their accounts, Sawyer said as a result of her personally identifiable information being compromised, someone opened a Bank of America card under her name in December 2022. Sawyer also claimed that she has received an increased number of spam calls, texts and emails, and pointed out that the value of her personally identifiable information has been diminished or lost.

Sawyer said in her lawsuit that she anticipates she will be spending considerable time and money to address the harms from the VCCU data breach and that she will have to contend with an increased risk of identify theft and fraud for years to come.

VCCU said it is implementing additional safeguards, and reviewing policies and procedures relating to data privacy and security to continue guarding against similar incidents in the future. The credit union also provided credit monitoring and identity protection services at no cost to persons affected by the breach.

Last month, Joseph Smith and Tony Lee filed a civil lawsuit against HawaiiUSA Federal Credit Union in Honolulu for its data breach that was first detected on Dec. 12, 2022; members were not notified until April 7.

Smith and Lee argued in their lawsuit that HawaiiUSA’s failure to promptly notify the 20,889 persons affected by the breach virtually ensured that the unauthorized third parties who exploited those security lapses could monetize, misuse and/or disseminate members’ personal and financial information indefinitely. The credit union serves 132,844 members, according to the NCUA.

Following the data breach, Smith claimed someone used his identity to file fraudulent tax returns and he also reported receiving an increasing number of spam calls, texts and emails.

In its data breach notice, HawaiiUSA said the “evidence showed unauthorized connections to the employee’s email account for a short period of time on Dec. 22, 2022.”

The credit union said it took immediate steps to secure the account and hired a cybersecurity firm to conduct an investigation.

“Because the evidence did not show which specific emails or attachments were viewed or accessed by the unauthorized action, we conducted a careful review of the contents of the accounts,” the credit union said in a sample letter that it filed with the California Attorney General’s office.

That careful review process apparently took nearly three months. According to a data breach notification, HawaiiUSA filed with the Attorney General’s office of Maine where the credit union has two members, the data breach was discovered on March 15. The credit union also stated that it notified persons affected by the data breach on April 7 and the information compromised was personal identification, account numbers, debit/credit card numbers, security codes, access codes, passwords or PINs.

The credit union provided credit monitoring and identity protection services at no cost to persons affected by the breach.

HawaiiUSA and its attorneys did not respond to CU Times‘ requests for comment.