Patelco members file class action lawsuit over ransomware attack


Two class action lawsuits have been filed in California federal court by members of $9.7 billion Patelco Credit Union over a ransomware attack that crippled most of its online banking systems. Members alleged the cyberattack may have compromised the personally identifiable information (PII) of 502,421 members.

On June 29, Patelco informed its members in an email notification that it had been hit by a “major security incident,” later confirming it was a ransomware attack. On July 2, Patelco said in a question-and-answer session that there was no evidence that mobile and online banking user IDs and passwords were compromised by the malware attack or that members’ account information was compromised. And since July 2, the credit union has repeatedly said that members’ money is safe and secure, reminding them that all of their accounts are insured by the NCUA.

However, the class action lawsuits allege that Patelco still failed to provide members with any details about what types of personal information may have been stolen in the data breach.

“Ransomware attacks, by their nature, almost never occur without cybercriminals accessing and exfiltrating a target’s PII. Upon information and belief, Plaintiffs’ and Class Members’ PII was exposed and exfiltrated as a result of this data breach,” according to the lawsuit filed by Patelco member Josh Warren of Livermore.

PPI typically includes names, dates of birth, addresses, Social Security numbers, driver’s license numbers, and/or financial account information.

The lawsuit also alleged that the notice sent to members on June 30 was conspicuously lacking in detail regarding the root cause of the data breach, the vulnerabilities exploited and the remedial measures Patelco had taken to prevent such a breach from occurring again.

“Upon information and belief, the attacker accessed and seized files that Patelco maintained on its systems containing unencrypted personal information of plaintiffs and class members, including, but not limited to, their Social Security numbers,” the lawsuit alleged.

As a result of the data breach, Warren claimed to have been a victim of fraud. Specifically, an unknown person attempted to register Warren’s credit card on an e-commerce site, which charged him a registration/verification fee of approximately $10.

She also claimed that the credit union had failed to adequately protect members’ PPI, which had caused her real harm in the form of a loss of value to her private information – a form of intangible asset she had entrusted to Patelco.