“Considering that Plaintiff (Cencap) has been using Defendant’s (Fiserv) product since 2016, there has not been an unexpected event that imminently threatens irreparable injury before Defendants can be heard in opposition,” Oliver wrote in a court filing. He ordered Fiserv to file its opposition brief by June 13.

Cencap filed a civil lawsuit against the Brookfield, Wis.-based Fiserv on June 5, alleging eight specific security deficiencies in its software that violate federal standards and represent material breaches of Fiserv’s contractual and other obligations.

These alleged deficiencies were also cited in a May 28 letter from Cencap’s attorney, Charles J. Nerko of New York, to Fiserv Chief Legal Officer Adam Rosman. The letter served as a notice of intent to terminate the credit union’s contract, or Master Agreement, with Fiserv.

Fiserv attorney Andrew J. Wronski responded to the letter denying any security issues, data breaches or incidents. He noted a Fiserv relationship manager spoke with Cencap representatives on the morning of May 29 and none of these alleged issues was raised during that conversation.

He further stated Cencap’s claims that the eight deficiencies breached Fiserv’s obligations are meritless.

“Cencap has never provided any notice of or expressed concern about, and Fiserv is not aware of, any security incidents or breaches related to the products and services that Cencap receives under the Master Agreement,” Wronski wrote. “Moreover, your letter does not describe any particular injury or incident that gives rise to any alleged concern that Fiserv can access or evaluate further.”

Cencap’s lawsuit did not specify that any data breaches or fraud resulted from the alleged vulnerabilities.

On June 6, Cencap’s attorneys filed motions for a temporary restraining order, a preliminary injunction and expedited discovery. Fiserv responded on June 9 with a motion requesting a briefing schedule.

Festini said Fiserv’s alleged security flaws were uncovered during a security review. He claimed Fiserv failed to meet Federal Financial Institutions Examination Council guidelines by using ineffective customer authentication methods and not implementing multifactor authentication or other safeguards.

Even after Cencap paid for two-factor authentication on the Virtual Branch platform, Festini alleged, the feature remained unimplemented, leaving new account setups secured by only single-factor authentication.

He also cited vulnerabilities in Fiserv’s Client360 portal — a public-facing website for credit union staff to manage service requests — as a risk to sensitive data and system security.

“Despite handling confidential information and handling requests that would affect system security, the Client360 portal is only secured by a simple username and password, without additional security protection such as two-factor authentication,” Festini stated. “If a hacker gains access to the Client360 portal, they could impersonate credit union employees, manipulate member accounts, modify system settings, alter transactional and fraud-prevention rules, or disable security controls entirely. A hacker can also see current and former support tickets, which contain sensitive consumer or security information.”

Fiserv’s legal briefing, however, argued that Cencap's concerns do not arise from any recent event.

“Put simply, there is nothing 'new' here. The current version of Virtual Branch enrollment has been the parties’ 'status quo' for years. The same is true for the Client 360 product,” Fiserv said in its legal briefing. “Indeed, during the more than nine years of the parties’ relationship, plaintiff has not once reported a data breach, data security incident, data security concern or customer complaint about data security with respect to Virtual Branch enrollment or Client 360. And, as the TRO Motion makes clear, nothing 'happened' recently to change that status quo.”

READ MORE: Cencap FCU’s Motion for Temporary Restraining Order (TRO)

Peter Strozniak can be reached at [email protected].