Patelco Members File Class Action Lawsuits Over Ransomware Attack

Two class action lawsuits have been filed in a California federal court by members of the $9.7 billion Patelco Credit Union over the ransomware attack that crippled most of its online banking systems. The members claimed that the cyberattack may have compromised the personally identifiable information (PII) of its 502,421 members.

On June 29, Patelco told its members in an email notice that it was hit by a “serious security incident,” and later confirmed it was a ransomware attack. On July 2, Patelco said in a Q&A that there is no evidence that mobile and online banking user IDs and passwords have been affected by this malware attack, or that member account information had been compromised. And since July 2, the credit union has repeatedly said that members’ money is safe and secure, reminding them that all of their accounts are insured by the NCUA.

However, the class action lawsuits claimed that Patelco has still not provided any information to members regarding any details as to which types of PII may have been stolen in the data breach.

“Ransomware attacks, by their very nature, almost never occur without the cybercriminal perpetrator(s) accessing, and indeed, exfiltrating, PII from the target. Upon information and belief, Plaintiff’s and Class Members’ PII has been exposed and exfiltrated as a result of this Data Breach,” according to the lawsuit filed by Patelco member Josh Warren of Livermore.

PPI typically includes names, dates of birth, addresses, Social Security numbers, driver’s license numbers and/or financial account information.

The lawsuit also alleged that noticeably absent from the notice email that was sent to its members on June 30 are details of the root cause of the data breach, the vulnerabilities that were exploited and the remedial measures that Patelco undertook to ensure such a breach does not happen again.

“Upon information and belief, the attacker accessed and acquired files that Patelco stored on its systems containing unencrypted PII of plaintiff and class members, including but not limited to their Social Security numbers,” the lawsuit alleged.

The 48-page lawsuit was filed by Warren on July 3 in U.S. District Court in San Francisco.

As a result of the data breach, Warren claimed he suffered fraud as a result. Specifically, an unknown individual attempted to register Warren’s credit card on an e-commerce site, and it charged him with a registration/verification fee of approximately $10.

Another class action lawsuit was filed on July 1 against Patelco in the same federal court by Eileen Poluk.

She also alleged that the credit union failed to properly secure and safeguard members’ PPI and suffered actual injury in the form of damages and value to her private information — a form of intangible property that she entrusted to Patelco.

Read More: Warren v. Patelco Credit Union and Poluk v. Patelco Credit Union