Credit Union’s Legal Battle With Tech Giant Fiserv Rumbles On
Local credit union, Bessemer System Federal Credit Union (BSFCU), sued Fortune 500 tech giant Fiserv over ‘amateurish security lapses’ in 2019. Fiserv counterclaimed with a motion to dismiss, and Bessemer motioned to dismiss the counterclaim.
BSFCU was founded 75 years ago by employees of the Bessemer and Lake Erie Railroad in Greenville, Pa. It now provides community credit union services to Mercer County, Pennsylvania. Fiserv is one or the world’s largest fintech companies. It is ranked 205 in the Fortune 500, and has a market value of around $80 billion.
In August 2018, Brian Krebs had reported on a Fiserv platform security lapse that enabled one customer to see the email address, phone number and full bank account number of another – an example of what OWASP calls ‘broken access control’. BSFCU subsequently performed its own security review and found further vulnerabilities in the online banking website that Fiserv had provided.
A banner on its homepage states, “Due to vulnerabilities we discovered with the Ezcardinfo site, we have discontinued all new enrollments effective immediately. We will be discontinuing all access to the site after notifying all current users.”
According to BSFCU, Fiserv responded with “an aggressive ‘notice of claims’ attempting to silence Bessemer by threatening civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties”, including other Fiserv customers.
In the end, Bessemer sued Fiserv, and Fiserv counterclaimed against Bessemer. And, of course, Bessemer filed a motion to dismiss Fiserv’s counterclaim. It is U.S. District Judge Robert J. Colville’s Memorandum Opinion on Bessemer’s motion, delivered on September 15, 2021, that brings us up to date.
Fiserv’s counterclaim asserts “breach of contract, breach of the duty of good faith and fair dealing, and ‘Contractual Recovery of Attorneys’ Fees and Costs’.” Much of this centers around Bessemer’s security review, which Fiserv claims to be in breach of the Master Agreement between the two parties. It describes the security review as a ‘brute force attack’.
Fiserv claims that the motive behind the cyberattack was to manufacture a breach that could be used to embarrass and extort Fiserv into acceding to Bessemer’s demands over the payment of outstanding invoices. The implication is that the security review was used to justify bad faith attempts to refuse to pay early termination fees and other invoices when due. Bessemer claims the security review was “a completely innocent and… required inquiry into the security measures implemented by Fiserv Solutions.”
Judge Colville declined to comment on these different descriptions, saying, “At this time, the Court has only the benefit of two diametrically opposed descriptions of the ‘security review,’ with the two presenting nearly no agreement as to the precise nature of the computer activity involved, Bessemer’s motivations, and/or the information that was accessed and/or acquired by Bessemer.”
Bessemer’s motion to dismiss the breach of contract counterclaim ‘with prejudice’ claims that Fiserv failed to perform the contract, while Bessemer did not breach it. Bessemer also claimed that counterclaiming for Fiserv attorney fees should be excluded: “The proper procedural path would have been for Fiserv [Solutions] to include the fees in its prayer for relief, not to assert an independent claim. This distinction matters because, should Fiserv [Solutions’] other claims be dismissed, it should not be able to maintain its status as a counterclaimant based solely on an attorneys’ fees provision.”
In the end, the judge agreed with Bessemer over the attorney fees, but did not find grounds to dismiss the rest of Fiserv’s counterclaim. He concluded, “The Court will grant in part and deny in part Bessemer’s Motion to Dismiss Counterclaims (ECF No. 92). The Motion will be granted as to Fiserv Solutions’ “Counterclaim” for “Contractual Recovery of Attorneys’ Fees and Costs,” and denied in all other respects. An appropriate Order of Court follows.”
Bessemer is unbowed and the fight will continue. CEO Joy Peterson gave SecurityWeek the following statement: “BSFCU was very concerned by the security review uncovering crucial security problems at Fiserv that placed our members at risk of identity theft and fraud. We terminated Fiserv and are taking appropriate legal actions against Fiserv for its repeated security failures. Fiserv’s retaliatory sue-the-victim gambit is antithetical to the values of the credit union movement. Our credit union does not dignify bullying, and Fiserv’s tactics will not deter us from protecting our members. We look forward to a trial in this matter.”
As it stands, Bessemer’s claim against Fiserv is largely intact and ongoing, while Fiserv’s counterclaim against Bessemer remains largely intact and ongoing. The message for organizations seeking to protect their business with the help of security products is to be very careful of what you sign. It is largely the reason why many CISOs will only accept limited term contracts. It is easier to renew a contract that proves successful, than to get out of one that does not.