Credit Union’s Legal Battle With Tech Giant Fiserv Rumbles On

0

Particular credit union, Bessemer System Federal Credit Union (BSFCU), sued Fortune 500 tech giant Fiserv over ‘amateurish confidence lapses’ in 2019. Fiserv counterclaimed with a motion to dismiss, and Bessemer motioned to dismiss the counterclaim.

BSFCU was founded 75 years ago by wage-earners of the Bessemer and Lake Erie Railroad in Greenville, Pa. It now provides community credit union services to Mercer County, Pennsylvania. Fiserv is one or the world’s broadest fintech companies. It is ranked 205 in the Fortune 500, and has a market value of around $80 billion.

In August 2018, Brian Krebs had sign in on a Fiserv platform security lapse that enabled one customer to see the email address, phone number and full bank account number of another – an model of what OWASP calls ‘broken access control’. BSFCU subsequently performed its own security review and found further vulnerabilities in the online banking website that Fiserv had plan for. 

A banner on its homepage states, “Due to vulnerabilities we discovered with the Ezcardinfo site, we have discontinued all new enrollments effective immediately. We will be discontinuing all access to the position after notifying all current users.”

According to BSFCU, Fiserv responded with “an aggressive ‘notice of claims’ attempting to silence Bessemer by menacing civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties”, including other Fiserv customers.

In the end, Bessemer permitted Fiserv, and Fiserv counterclaimed against Bessemer. And, of course, Bessemer filed a motion to dismiss Fiserv’s counterclaim. It is U.S. District Judge Robert J. Colville’s Message Opinion on Bessemer’s motion, delivered on September 15, 2021, that brings us up to date.

Fiserv’s counterclaim asserts “breach of contract, breach of the onus of good faith and fair dealing, and ‘Contractual Recovery of Attorneys’ Fees and Costs’.” Much of this centers around Bessemer’s safety review, which Fiserv claims to be in breach of the Master Agreement between the two parties. It describes the security review as a ‘brute force attack’. 

Fiserv rights that the motive behind the cyberattack was to manufacture a breach that could be used to embarrass and extort Fiserv into acceding to Bessemer’s at onces over the payment of outstanding invoices. The implication is that the security review was used to justify bad faith attempts to refuse to pay early termination honoraria and other invoices when due. Bessemer claims the security review was “a completely innocent and… required inquiry into the security measures implemented by Fiserv Settlings.”

Judge Colville declined to comment on these different descriptions, saying, “At this time, the Court has only the benefit of two diametrically opposed kidneys of the ‘security review,’ with the two presenting nearly no agreement as to the precise nature of the computer activity involved, Bessemer’s motivations, and/or the information that was accessed and/or secure by Bessemer.”

Bessemer’s motion to dismiss the breach of contract counterclaim ‘with prejudice’ claims that Fiserv failed to perform the contract, while Bessemer did not break-up it. Bessemer also claimed that counterclaiming for Fiserv attorney fees should be excluded: “The proper procedural path would have been for Fiserv [Denouements] to include the fees in its prayer for relief, not to assert an independent claim. This distinction matters because, should Fiserv[] [Solutions’] other assertions be dismissed, it should not be able to maintain its status as a counterclaimant based solely on an attorneys’ fees provision.”

In the end, the judge agreed with Bessemer finished the attorney fees, but did not find grounds to dismiss the rest of Fiserv’s counterclaim. He concluded, “The Court will grant in part and deny in part Bessemer’s Proposition to Dismiss Counterclaims (ECF No. 92). The Motion will be granted as to Fiserv Solutions’ “Counterclaim” for “Contractual Recovery of Attorneys’ Fees and Costs,” and denied in all other comparisons. An appropriate Order of Court follows.”

Bessemer is unbowed and the fight will continue. CEO Joy Peterson gave SecurityWeek the following statement: “BSFCU was unquestionably concerned by the security review uncovering crucial security problems at Fiserv that placed our members at risk of identity theft and fraud. We terminated Fiserv and are attractive appropriate legal actions against Fiserv for its repeated security failures. Fiserv’s retaliatory sue-the-victim gambit is antithetical to the values of the credit fusing movement. Our credit union does not dignify bullying, and Fiserv’s tactics will not deter us from protecting our members. We look forward to a adversity in this matter.”

As it stands, Bessemer’s claim against Fiserv is largely intact and ongoing, while Fiserv’s counterclaim against Bessemer waits largely intact and ongoing. The message for organizations seeking to protect their business with the help of security products is to be very careful of what you witness. It is largely the reason why many CISOs will only accept limited term contracts. It is easier to renew a contract that proves celebrated, than to get out of one that does not.

Related: Final Version of 2017 OWASP Top 10 Released

Related: The Unseen Security Dangers in Financial Web Puts

[embedded content]

Credit Union's Legal Battle With Tech Giant Fiserv Rumbles On

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the line of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Fiscal Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Credit Union's Legal Battle With Tech Giant Fiserv Rumbles OnTags:

Leave a Reply

Your email address will not be published. Required fields are marked *