Lawsuits target Patelco Credit Union as ransomware attack effects linger; concerns over personal info exposed
Patelco Credit Union, which is trying to recover its banking systems from a ransomware attack, is the target of two class-action lawsuits because of the data breach and possible exposure of personal information.
The lawsuits were filed on July 1 and July 3 on behalf of two Patelco customers and others "similarly situated." They both allege the Dublin-based credit union has not safeguarded customers' personal information such as account numbers, Social Security numbers, and addresses from the data breach.
In the complaint filed by Oakland-based law firm Cole & Van Note, plaintiff Eileen Poluck alleges her and other customers' private information was exposed in the data breach because Patelco "intentionally, willfully, recklessly and/or negligently" failed to implement measures to keep it secure.
"Thus, Defendant created, collected and stored Representative Plaintiff's and Class Members' Private Information with the reasonable expectation and mutual understanding that Defendant would comply with its obligations to keep such information confidential and secure from unauthorized access," the complaint said. "Despite this, Representative Plaintiff and the Class Members remain, even today, in the dark regarding what particular data was stolen, the particular malware used and what steps are being taken, if any, to secure their Private Information going forward. Representative Plaintiff and Class Members are thus left to speculate as to where their Private Information ended up, who has used it and for what potentially nefarious purposes."
Patelco has said in various communications to its customers that their money was "safe and secure" while a third party was still in the process of restoring online banking, balance inquiries, check cashing, and other services following the June 29 ransomware attack.
However, the company has not said whether any of its 450,000 customers have had any personal identifying information exposed in the data breach, nor has it identified the source of the ransomware attack.
Such attacks involve hackers encrypting files and demanding ransom to decrypt them, and when no ransom is paid hackers follow through on threats to expose personal information, such as what happened to City of Oakland employees following a ransomware attack last year.
Berkeleyside reported that law firm Wolf Haldenstein Adler Freeman & Herz had also filed a class action lawsuit on behalf of Livermore resident Josh Warren and other class members. The complaint noted the inconvenience, frustration and costs associated with accessing banking services that are currently not available online.
"Moreover, because of the Data Breach and resulting service outages stemming therefrom, Defendant has been encouraging Plaintiff and Class Members to travel to and from various Patelco ATM locations to withdraw or deposit their money thereby causing Plaintiff and Class Members to incur out-of-pocket travel expenses (including but not limited to gasoline/fuel expenses and wear and tear on their personal vehicles)," the complaint said.
Last week, Patelco said the ransomware attack would prevent customers from accessing banking services for days or weeks.
On Tuesday, Patelco CEO Erin Mendez reiterated in another message to customers that their system was "stable, secure and we are making positive momentum daily toward our final goal: getting back to business." Mendez said the company was catching up on processing transactions and expect to be completely caught up by the end of the week.
"Once that happens, we will be able to confirm the date when you will be able to access your accounts," said Mendez.
The latest information on what is and is not available to Patelco customers can be found on the company's web page dedicated to security incident updates.