Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

Credit Union’s Legal Battle With Tech Giant Fiserv Rumbles On

Local credit union, Bessemer System Federal Credit Union (BSFCU), sued Fortune 500 tech giant Fiserv over ‘amateurish security lapses’ in 2019. Fiserv counterclaimed with a motion to dismiss, and Bessemer motioned to dismiss the counterclaim.

Local credit union, Bessemer System Federal Credit Union (BSFCU), sued Fortune 500 tech giant Fiserv over ‘amateurish security lapses’ in 2019. Fiserv counterclaimed with a motion to dismiss, and Bessemer motioned to dismiss the counterclaim.

BSFCU was founded 75 years ago by employees of the Bessemer and Lake Erie Railroad in Greenville, Pa. It now provides community credit union services to Mercer County, Pennsylvania. Fiserv is one or the world’s largest fintech companies. It is ranked 205 in the Fortune 500, and has a market value of around $80 billion.

In August 2018, Brian Krebs had reported on a Fiserv platform security lapse that enabled one customer to see the email address, phone number and full bank account number of another – an example of what OWASP calls ‘broken access control’. BSFCU subsequently performed its own security review and found further vulnerabilities in the online banking website that Fiserv had provided. 

According to BSFCU, Fiserv responded with “an aggressive ‘notice of claims’ attempting to silence Bessemer by threatening civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties”, including other Fiserv customers.

In the end, Bessemer sued Fiserv, and Fiserv counterclaimed against Bessemer. And, of course, Bessemer filed a motion to dismiss Fiserv’s counterclaim. It is U.S. District Judge Robert J. Colville’s Memorandum Opinion on Bessemer’s motion, delivered on September 15, 2021, that brings us up to date.

Fiserv’s counterclaim asserts “breach of contract, breach of the duty of good faith and fair dealing, and ‘Contractual Recovery of Attorneys’ Fees and Costs’.” Much of this centers around Bessemer’s security review, which Fiserv claims to be in breach of the Master Agreement between the two parties. It describes the security review as a ‘brute force attack’. 

Fiserv claims that the motive behind the cyberattack was to manufacture a breach that could be used to embarrass and extort Fiserv into acceding to Bessemer’s demands over the payment of outstanding invoices. The implication is that the security review was used to justify bad faith attempts to refuse to pay early termination fees and other invoices when due. Bessemer claims the security review was “a completely innocent and… required inquiry into the security measures implemented by Fiserv Solutions.”

Judge Colville declined to comment on these different descriptions, saying, “At this time, the Court has only the benefit of two diametrically opposed descriptions of the ‘security review,’ with the two presenting nearly no agreement as to the precise nature of the computer activity involved, Bessemer’s motivations, and/or the information that was accessed and/or acquired by Bessemer.”

Advertisement. Scroll to continue reading.

Bessemer’s motion to dismiss the breach of contract counterclaim ‘with prejudice’ claims that Fiserv failed to perform the contract, while Bessemer did not breach it. Bessemer also claimed that counterclaiming for Fiserv attorney fees should be excluded: “The proper procedural path would have been for Fiserv [Solutions] to include the fees in its prayer for relief, not to assert an independent claim. This distinction matters because, should Fiserv[] [Solutions’] other claims be dismissed, it should not be able to maintain its status as a counterclaimant based solely on an attorneys’ fees provision.”

In the end, the judge agreed with Bessemer over the attorney fees, but did not find grounds to dismiss the rest of Fiserv’s counterclaim. He concluded, “The Court will grant in part and deny in part Bessemer’s Motion to Dismiss Counterclaims (ECF No. 92). The Motion will be granted as to Fiserv Solutions’ “Counterclaim” for “Contractual Recovery of Attorneys’ Fees and Costs,” and denied in all other respects. An appropriate Order of Court follows.”

Bessemer is unbowed and the fight will continue. CEO Joy Peterson gave SecurityWeek the following statement: “BSFCU was very concerned by the security review uncovering crucial security problems at Fiserv that placed our members at risk of identity theft and fraud. We terminated Fiserv and are taking appropriate legal actions against Fiserv for its repeated security failures. Fiserv’s retaliatory sue-the-victim gambit is antithetical to the values of the credit union movement. Our credit union does not dignify bullying, and Fiserv’s tactics will not deter us from protecting our members. We look forward to a trial in this matter.”

As it stands, Bessemer’s claim against Fiserv is largely intact and ongoing, while Fiserv’s counterclaim against Bessemer remains largely intact and ongoing. The message for organizations seeking to protect their business with the help of security products is to be very careful of what you sign. It is largely the reason why many CISOs will only accept limited term contracts. It is easier to renew a contract that proves successful, than to get out of one that does not.

Related: Final Version of 2017 OWASP Top 10 Released

Related: The Unseen Security Dangers in Financial Web Sites

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...