Lucy Flores attempts to check her balance at a Patelco ATM on Kala Bagai Way in downtown Berkeley, Calif., on Monday, July 1, 2024. “It makes me nervous not to be able to see what’s coming through my account,” Flores said. (Jane Tyska/Bay Area News Group)
DUBLIN — The president and CEO of Patelco has announced its network is “stabilized” and transactions are now being processed as the devastating cyber attack that crippled its systems remains unsolved.
“Once this is complete and we achieve full banking functionality, our members will be able to access their account balance and accounts as they typically would under normal circumstances,” Erin Mendez, the head of the Dublin-based credit union, wrote on Sunday. “I can’t share an exact date when we will be back to business as usual, but we can see the light at the end of the tunnel.”
Mendez’s announcement follows a tumultuous 10-day period where half a million customers were locked out of accounts due to a June 29 ransomware attack that put the entire Patelco system at risk of leaking financial and personal information to an outside attacker.
At least one unhappy customer has decided to take one of the nation’s largest credit unions to court. A California resident named Shawn Kent filed a lawsuit in Alameda County Superior Court on July 3, claiming that Patelco “intentionally, willfully, recklessly and/or negligently” failed to protect its clients’ private information.
“This is especially true given that (Patelco) is a large, sophisticated operation with the resources to put adequate data security protocols in place,” the suit filed by attorneys Scott Edward Cole and Laura Grace Van Note said. They are seeking class-action status.
The Oakland-based attorneys also wrote that Patelco caused “substantially increased risk of fraud, identity theft and misuse” of its clients’ private information. Kent wants to ensure his own private information “is protected and safeguarded from future breaches,” the suit says.
Private and banking information can be sold on the dark web, or illegal online servers, for $40 to $200, the attorneys allege, and “criminals can also purchase access to entire company data breaches from $999 to $4,995.”
With many recent high-profile data breaches targeting major corporations, Cole and Van Note said Patelco had a duty to know its security systems were inadequate at protecting its clients’ information. The credit union “could have prevented” the attack by “properly securing and encrypting and/or more securely encrypting” its private information, they said in the court filing.
Rina Johnson, Patelco’s vice president of marketing, declined to respond to a request for comment regarding the lawsuit Monday.
“We’re completely focused on getting back up and running right now and making sure our members are supported throughout the process,” Johnson wrote in an email.
Kent seeks relief and payment for the “actual, nominal and consequential damages” suffered in the recent ransomware attack. He says he suffered “lost time, annoyance, interference and inconvenience” from the breach, as well as “anxiety and increased concerns for the loss of privacy.”
By late Monday afternoon, customers still could not access their account balances online, nor could they directly send or receive money except via Venmo or PayPal. The credit union has urged customers since the beginning of the lockout to visit one of its 37 branches statewide for assistance, though some services such as debit card transactions and ATM functionality have been limited.
But Mendez assured customers that “our members’ money is safe and secure, and we are marching diligently toward full functionality.”
“I know I’ve stated this to you before, but the restoration of our systems while ensuring their future security requires careful and methodical work,” Mendez wrote. “I know this may not be moving as quickly as you’d like, but please know we are working as quickly as we can, and we know how critically important this is to our members.
Originally published at Kyle Martin