VCCU sued after delaying notification on data breach
Update: The headline of this article has been updated.
The Ventura County Credit Union has been hit with two class action lawsuits over a 2022 cyber theft of data from up to 82,000 customers and employees, a breach the nonprofit didn’t disclose for six months.
The suits were filed by then-customers Trevor McCartney and Brian Giffen on July 19 in Ventura County Superior Court.
They allege the credit union failed to implement and maintain reasonable cybersecurity procedures to protect personal and financial information from hackers.
Credit union officials declined to discuss the lawsuits.
“Unfortunately, due to pending litigation, we are unable to comment on this item,” Tina Estes, vice president of marketing, told the Business Times in an Aug. 1 email.
According to the civil complaints, the credit union’s online systems suffered a two-month massive ransomware attack and data breach from approximately Oct. 20, 2022, through Dec. 15, 2022.
The breach compromised customers’ and employees’ names, Social Security numbers and financial accounts information, the suits contend.
Giffen’s suit contends the hackers “stole the personal information of all customers and employees of VCCU.”
McCartney’s suit cites roughly 81,900 victims of the attack.
It took the credit union until December 2022 to discover the attack.
It then took the nonprofit until July 6, 2023, to disclose it when it notified victims of the data breach, Giffen’s suit says.
“Remarkably, VCCU waited … more than six months after it discovered the data breach, to inform impacted parties that their personal identifying information was the target of a data breach,” the suit alleges.
McCartney’s suit says the private information compromised in the data breach included highly sensitive data “that represents a gold mine for data thieves” who can use it to commit various crimes.
They include opening new financial accounts and taking out loans in the class members’ names, obtaining government benefits, filing fraudulent tax returns, obtaining driver’s licenses in class members’ names but with another person’s photograph, and giving false information to police during an arrest, according to the suit.
In the July 6 data breach notices, the credit union said it became aware of suspicious activity in certain employee email accounts on or about Dec. 14, 2022.
“We immediately launched an investigation, with the assistance of third-party forensic specialists, to determine the nature and scope of the activity,” the notice says.
The probe determined that the hackers gained access to customers’ accounts through the employee email accounts, McCartney’s lawsuit says.
The nonprofit’s notice doesn’t specify how many accounts were breached, but says there is “no evidence of misuse of your information.”
“VCCU takes the confidentiality, privacy, and security of information in our care seriously,” the notice says.
The credit union “is taking steps to implement additional safeguards and review policies and procedures relating to data privacy and security, to continue guarding against similar incidents in the future,” according to the notice.
The organization is offering customers impacted by the breach up to twelve months of credit monitoring and identity protection services, McCartney’s suit says.
Giffen’s suit contends that as a financial institution doing business in California, the credit union is legally required to protect personal information from unauthorized access, disclosure, theft, exfiltration, modification, use, or destruction.
“VCCU knew that it was a prime target for hackers given the significant amount of sensitive personal information in its possession, custody and/or control related to its customers and employees,” the suit alleges.
Yet, despite knowing the prevalence of data breaches, the credit union failed to prioritize data security by adopting reasonable data security measures to prevent and detect unauthorized access to its highly sensitive systems and databases, according to the suit.
The civil complaints allege negligence, breach of contract, violation of the right to privacy under the California Constitution and other grounds.
They seek damages to be determined at trial, a permanent injunction to prohibit the credit union from continuing to engage in alleged poor cyber security, and more.
Founded in 1950, the credit union, with eight locations throughout Ventura County, offers mortgages, commercial loans, wealth management services, credit cards, checking and savings accounts and more. It has ATMs throughout Ventura and Santa Barbara counties.
According to Giffen’s suit, the credit union has more than $1 billion in assets.
Attorneys for McCartney and Giffen did not respond to requests from the Business Times for comment.