
After a ransomware attack crippled its online and mobile banking operations for 17 days last summer, leading to more than $39 million in losses and affecting one million people, the $9.4 billion Patelco Credit Union agreed to a consent order with state regulators on Tuesday that requires the Dublin, Calif.-based financial cooperative to pay a $100,000 penalty and establish a new cybersecurity program.
What’s more, Patelco is facing a class action civil lawsuit brought by a dozen members in state court and a federal lawsuit filed by two members, claiming financial losses from their accounts that may have been connected to the ransomware attack that began in June. Since then, the credit union’s membership has fallen by more than 8,600 from 507,422 in June to 498,784 at the end of 2024, according to Patelco’s Call Reports filed with the NCUA.
“Overall, our membership grew from Jan 2024 – December 2024,” Patelco said in a prepared statement on Wednesday. “During the second half of the year, there was a membership decline because Patelco closed memberships due to first party member fraud resulting from the Security incident.”
The credit union has denied members’ claims made in the federal lawsuit. The state lawsuit is in case management conference, which may lead to a future settlement agreement. But if no settlement is reached, the case may go before a jury.
On May 23, ransomware hackers breached Patelco's systems. By June 29, the hackers shut down most of the credit union’s online and mobile banking systems, which were restored on July 16. Patelco has said it did not pay a ransom to the hackers. The credit union disclosed the breach in August saying that the information in the accessed databases included first and last name with Social Security number, driver's license number, date of birth and/or email address, but not every data element was present for every individual.
The consent order stated that Patelco cooperated with the investigation conducted by California’s Department of Financial Protection and Innovation and that the credit union is committed to working with regulatory agencies for the benefit of its members.
“This consent order reflects Patelco’s willingness to work with regulatory agencies to ensure that its cybersecurity systems and processes comply with the law for an institution of its size, complexity, and risk profile,” the consent order read.
The credit union is required to designate a qualified individual to oversee the cybersecurity program to ensure the security and confidentiality of all members’ information, and protect it from any anticipated threats and unauthorized access, which could lead to substantial harm or inconvenience for members, according to the consent order.
In addition to adopting new policies and procedures that would enable Patelco’s employees to effectively implement the cybersecurity program, the credit union will be expected to maintain independent testing requirements through an internal audit function or external assessor.
The consent order also requires the credit union to maintain a training program so that all of Patelco’s employees understand the risk profile and compliance obligations to effectively implement the cybersecurity program. Patelco will be expected to hire a qualified, independent and unaffiliated third party compliance consultant to support its efforts to augment the cybersecurity program.
Although members filed six federal lawsuits soon after the June ransomware incident, they voluntarily dismissed their legal actions. However, these six members joined six other members in a consolidated class action lawsuit that is pending in Alameda County Civil Court. The lawsuit alleged the credit union failed to take “adequate and reasonable measures” to ensure member information was safeguarded and that Patelco allegedly failed to prevent unauthorized disclosure of data and follow procedures to encrypt member data even for internal uses.
Additionally, on Oct. 1, members Mae Aquino and Dontae Brown Jr. filed a lawsuit against Patelco claiming after the ransomware incident was resolved in July that they discovered 26 fraudulent transactions on their account totaling more than $14,000. All of the fraudulent transactions were made via the Apple Cash app, which Aquino and Brown said they never used.
According to court filings, Patelco has denied that the transactions were fraudulent.
The lawsuit is on hold pending arbitration proceedings.
READ MORE: Patelco Credit Union Consent Order.
Contact Peter Strozniak at pstrozniak@cutimes.com.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.