A small credit union in Greenville, Pennsylvania is suing the fintech giant Fiserv, alleging that security vulnerabilities and widespread problems with the vendor’s processing services have affected its members.
The Bessemer System Federal Credit Union said “baffling and amateurish security lapses” at Fiserv affected the privacy of thousands of its members and that it was seeking damages from negligence, breach of contract, and unfair trade practices. Bessemer said when it approached Fiserv about the security problems, the company threatened “civil and criminal prosecution if Bessemer discussed [them] with third parties.”
A lawyer representing Bessemer, Charles Nerko, said in an interview that “to protect the credit union’s members, the credit union is replacing its core processing vendor and will be taking appropriate legal action against the vendor.”
A spokesperson for Fiserv said, “We believe the allegations have no merit and will respond to them as part of the legal process.”
Fiserv is a top bank core processor, with $5.7 billion in earnings and more than 37% of the market. Its transaction processing is used by hundreds of small community banks and credit unions. Bessemer uses Fiserv systems to track deposits, generate statements, and manage its online banking website.
In August 2018, the website KrebsOnSecurity reported Fiserv had fixed a vulnerability in its web platform that had exposed “personal and financial details of countless customers across hundreds of bank web sites.”
Brian Krebs said that KrebsOnSecurity had been informed of the vulnerability by a security researcher who was able to spy on the daily transaction activity of some customers of a small bank. When informed of the flaw, Fiserv deployed a security patch within 24 hours.
Bressemer said it investigated the Fiserv platform independently after the KrebsOnSecurity story and found a vulnerability that would allow a hacker to register an online account tied to the accounts of other offline bank customers. The lawsuit also charges that the Fiserv system sometimes charged customers for canceled services, did not record loan payment dates accurately, and accidentally canceled some user accounts.
Bessemer has 4,311 members and almost $38 million in assets, according to the National Credit Union Administration. The lawsuit was filed in the Court of Common Pleas of Mercer County, Pennsylvania.