Editor's Note: Since this story was first reported, a statement from Fiserv has been added.
GREENVILLE, Penn.–Bessemer System Federal Credit Union has filed suit against Fiserv alleging the website the company created and hosted for the credit union contained security vulnerabilities and defects.
In a suit filed in the Court of Common Pleas of Mercer County, Penn., BSFCU is alleging “widespread, systemic misconduct” by Fiserv, whose technology the credit union described as the “lifeblood” of Bessemer FCU, as it tracks the credit union’s “deposits, generates its statements, and powers its online banking website.”
“Despite Fiserv’s claimed expertise, Fiserv has misreported Bessemer’s account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer’s members,” the credit union claims.
Fiserv told CUToday.info in a statement, "We believe the allegations have no merit and will respond to the claims as part of the legal process.”
The lawsuit cites an email from Fiserv to BSFCU’s CEO in which the company allegedly stated, “Yes, we agree, Bessemer System FCU has experienced an extreme number of issues.” BSFCU runs Fiserv’s Charlotte account-processing platform in addition to other solutions.
The $38-million Bessemer System FCU has approximately 4,311 members.
‘Unfortunate History’
In its complaint, Bessemer Systems FCU alleged Fiserv as a “sordid, unfortunate history of failing to protect confidential information. Fiserv has been repeatedly put on notice that its security measures were deficient, leaving BSFCU member information at risk.”
The lawsuit alleges that Fiserv’s own security review uncovered more than 40 weaknesses in its security. Among the issues cited by BSFCU were providing confidential member information to an authorized third-party, placing an invalid return address on member account statements for the biannual verification of accounts, ceasing to update antivirus software, and other issues. The lawsuit further alleges that Fiserv’s internal culture actively discourages the emphasis on data security.
In the case of its online banking system, the BSFCU lawsuit further alleges the online banking system could be easily penetrated by potential scam artists using trial and error and guessing. The suit states that all that is required to enter the system is an account number and the last four digits of a Social Security number, which it said are easily obtainable.
‘Purely Illusory’
When the system was updated to also require an additional security step of providing a house number, the credit union alleges that the information is also readily available to scammers, but “most alarmingly, this security control was purely illusory. Because some servers were not enforcing the security check, it could be readily bypassed,” the lawsuit alleges.
BSFCU is further alleging that “adding insult to injury, rather than fixing the security problems and providing the requested assurances that information was being adequately safeguarded, Fiserv issued BSFCU a “notice of claims that the security review of its own online banking system gives rise to civil and criminal claims,” and that the company demanded the credit union not disclose information relating to the security review to any third parties.
Other Allegations
Other allegations made by the credit union include:
- It has been faced with increased costs of dealing with members who have placed fraud alerts or credit freezes in response to companies data breaches, making it impossible or burdensome for credit union to evaluate members credit worthiness for current or potential credit or loans.
- Fiserv has falsified and misrepresented the credit union’s member and transactional records, which has caused some members to not be paid the dividends owed to them.
- The system has improperly allocated loan payments and a missed reporting that a member still owed money on an already paid off loan. A host of other issues are also alleged related to mortgages and other loans.
- In one case the company manually rebuilt a statement for a member in order to properly reflect a total amount paid.
- The credit union has had to deal with a “litany of bugs and defects,” and its employees are often locked out of the system
- The outsourcing of technical support by Fiserv has led to cases in which case the call center personnel were unable to identify which platform the credit union uses.
- It has encountered a wide number of billing errors on invoices
Bessemer Systems FCU is being represented by Charles J. Nerko, an attorney with VedderPrice in New York, and Richard J. Parks, an attorney with Pietragallo Gordon Alfano Bosick & Raspanti of Sharon, Penn.