The credit union has denied members’ claims made in the federal lawsuit. The state lawsuit is in case management conference, which may lead to a future settlement agreement. But if no settlement is reached, the case may go before a jury.

On May 23, ransomware hackers breached Patelco's systems. By June 29, the hackers shut down most of the credit union’s online and mobile banking systems, which were restored on July 16. Patelco has said it did not pay a ransom to the hackers. The credit union disclosed the breach in August saying that the information in the accessed databases included first and last name with Social Security number, driver's license number, date of birth and/or email address, but not every data element was present for every individual.

The consent order stated that Patelco cooperated with the investigation conducted by California’s Department of Financial Protection and Innovation and that the credit union is committed to working with regulatory agencies for the benefit of its members.

“This consent order reflects Patelco’s willingness to work with regulatory agencies to ensure that its cybersecurity systems and processes comply with the law for an institution of its size, complexity, and risk profile,” the consent order read.

The credit union is required to designate a qualified individual to oversee the cybersecurity program to ensure the security and confidentiality of all members’ information, and protect it from any anticipated threats and unauthorized access, which could lead to substantial harm or inconvenience for members, according to the consent order.

In addition to adopting new policies and procedures that would enable Patelco’s employees to effectively implement the cybersecurity program, the credit union will be expected to maintain independent testing requirements through an internal audit function or external assessor.

The consent order also requires the credit union to maintain a training program so that all of Patelco’s employees understand the risk profile and compliance obligations to effectively implement the cybersecurity program. Patelco will be expected to hire a qualified, independent and unaffiliated third party compliance consultant to support its efforts to augment the cybersecurity program.

Although members filed six federal lawsuits soon after the June ransomware incident, they voluntarily dismissed their legal actions. However, these six members joined six other members in a consolidated class action lawsuit that is pending in Alameda County Civil Court. The lawsuit alleged the credit union failed to take “adequate and reasonable measures” to ensure member information was safeguarded and that Patelco allegedly failed to prevent unauthorized disclosure of data and follow procedures to encrypt member data even for internal uses.

Additionally, on Oct. 1, members Mae Aquino and Dontae Brown Jr. filed a lawsuit against Patelco claiming after the ransomware incident was resolved in July that they discovered 26 fraudulent transactions on their account totaling more than $14,000. All of the fraudulent transactions were made via the Apple Cash app, which Aquino and Brown said they never used.

According to court filings, Patelco has denied that the transactions were fraudulent.

The lawsuit is on hold pending arbitration proceedings.

READ MORE: Patelco Credit Union Consent Order.

Contact Peter Strozniak at [email protected].