Patelco members file class action lawsuit over ransomware attack

Members of the $9.7 billion Patelco Credit Union have filed two class action lawsuits in federal court in California over the ransomware attack that took down most of their online banking systems. The members claim the cyberattack may have compromised the personal information of their 502,421 members.

On June 29, Patelco told its members in an email that it had experienced a “major security incident,” and later confirmed that it was a ransomware attack. On July 2, Patelco said in a question-and-answer session that there was no evidence that mobile and online banking user IDs and passwords were affected by this malware attack or that any member account information was compromised. And since July 2, the credit union has repeatedly stated that members’ money is safe and secure, reminding them that all of their accounts are insured by the NCUA.

However, the class action lawsuits allege that Patelco has still not provided members with information about what types of personally identifiable information (PII) may have been stolen in the data breach.

“By their nature, ransomware attacks almost never occur without the cybercriminal(s) accessing and actually exfiltrating the target’s personal information. Based on the information and knowledge available, the personal information of the plaintiff and class members was disclosed and exfiltrated as a result of this data breach,” says the complaint filed by Patelco member Josh Warren of Livermore.

PPI typically includes names, dates of birth, addresses, social security numbers, driver’s license numbers and/or bank account information.

The lawsuit also alleges that the notification email sent to members on June 30 conspicuously lacks disclosure about the root cause of the data breach, the vulnerabilities exploited, and the remedial actions Patelco has taken to ensure that such a breach does not happen again.

“Based on the information and beliefs available, the attacker accessed and acquired files that Patelco had stored on its systems that contained unencrypted personal information of plaintiff and class members, including, but not limited to, their social security numbers,” the lawsuit states.

Warren claims that he was the victim of a scam as a result of the data theft. Specifically, an unknown person attempted to register Warren’s credit card on an e-commerce site and demanded a registration/verification fee of approximately $10.

She further alleged that the credit union failed to adequately safeguard and protect members’ PPI and that as a result she suffered actual harm in the form of damages and loss of value of her private information – a type of intangible asset that she had entrusted to Patelco.