Enterprises are ultimately responsible for safeguarding customer data, even if the work is being handled by a service provider. A small credit union is trying to hold its technology vendor accountable for allegedly leaving security vulnerabilities unfixed in the software platform and not adequately safeguarding account information.
Bessemer System Federal Credit Union, of Greenville, Penn., said in its lawsuit that the web platform from Wisconsin-based Fiserv Solutions inaccurately reported member account records and information and failed to secure confidential member information and financial records against access by unauthorized third parties. The technology platform was Bessemer’s “lifeblood,” as it was used to run the credit union’s website, generate statements, and track deposits for its 4,311 members (and nearly $38 million in assets).
“Bessemer's member information has been subject to several instances of critical security vulnerabilities while in Fiserv's custody—each based on baffling and amateurish security lapses,” the lawsuit said.
Fiserv allegedly had a security breach in 2016 which exposed confidential information belonging to Bessemer members, including names, tax ID numbers, and parts of account numbers, to an unauthorized party. Instead of treating the breach as a “wake up call” and fixing the issues, Fiserv ignored the problem, Bessemer said.
Not only did Fiserv ignore the security issues, the fintech giant allegedly threatened those who discovered vulnerabilities “in an effort to conceal these problems from affected financial institutions and consumers,” Bessemer said in court documents filed in Pennsylvania’s Mercer County on April 26 and posted online by CyberScoop. The lawsuit also accused Fiserv of “silencing its [Fiserv] clients from disclosing to other affected clients when there are security problems, and holding customers’ data hostage when those customers seek to go to competitors.”
As one of the three companies that power much of the digital infrastructure used by smaller banks and credit unions, Wisconsin-based Fiserv has thousands of clients around the world and commands more than 37 percent of the market. Any problems in Fiserv’s platform would presumably impact thousands of other small banks and credit unions that rely on the technology for their operations.
No Security 101
Bessemer claimed Fiserv did not “make the proper financial investments to keep up with emerging technology and security risks.” For example, Fiserv allegedly did not regularly update systems with security patches, even delaying updates fixing high-security vulnerabilities for more than 30 days after they became available. Fiserv “inexplicably stopped” installing and updating antivirus software on Bessemer’s systems. The lawsuit also alleged Fiserv has products and services in its environment that are past their end-of-life or end-of-service deadlines, which means those systems are no longer receiving security updates.
“As these products and services are no longer marketed, sold or upgraded by manufacturers, they are more likely to be exploited and to have unpatched security vulnerabilities,” Bessemer said.
According to the lawsuit, Fiserv’s “Charlotte” account processing system, contained a large number of bugs which impacted Bessemer’s operations, such as misrepresenting loan payments, cancelling accounts, reporting incorrect principal balances, charging for cancelled services, and not accurately recording when loans were paid off. Other bugs caused the system to put the wrong address on customer mailings, false mortgage interest, late fees, and incorrect due dates for loans. On many occasions, Charlotte was unavailable, which meant the credit union could not access records and information needed to process transactions.
“Despite Fiserv's claimed expertise, Fiserv has misreported Bessemer's account records and information, while being plagued with security vulnerabilities that affect the privacy of thousands of Bessemer's members,” the lawsuit said.
Threats, Not Fixes
This isn’t the first time Fiserv is being taken to task for its security problems. In 2017, Fiserv settled out of court with the Parks Heritage Federal Credit Union, of Glen Falls, NY, over alleged flaws and defects in the account processing system. Back in August 2018, KrebsOnSecurity’s Brian Krebs reported a “glaring weakness”—a broken access control—in Fiserv’s web platform which exposed “personal and financial details of countless customers across hundreds of bank web sites.” A person could change a number included in the Fiserv URL and access alerts associated with different accounts. Fiserv initially did not respond to the person that found the issue, but deployed a security patch within 24 hours of the Krebs report.
Krebs noted at the time that hundreds of other Fiserv-affiliated banks would be affected.
Bessemer conducted its own investigation after this incident and discovered that an unauthorized person could register an online account tied to the bank accounts of offline customers, provided the person had the account number and the last four digits of the account owner’s Social Security number. The account number is easily obtainable, say from a check, and the platform didn’t block logging in after a certain number of failed attempts, anyone could have cycled through all possible 4-digit configurations to guess their way in.
Fiserv responded with a “purely cosmetic fix” that did not address the problem, and then “thanked” Bessemer with "an aggressive “notice of claims” threatening “civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties,” the lawsuit said. Bessemer was told it could not notify other Fiserv customers who could have been affected as well.
“To Fiserv, it was more important to keep its security problems under wraps than to fix security holes that potentially threatened scores of financial institutions,” the lawsuit said.
No Controls
Bessemer hired security ratings company Security Scorecard in February to evaluate Fiserv’s software. The review uncovered more than 40 weaknesses in Fiserv’s security, such as not enforcing HTTPS, which exposed users to possible man-in-the-middle attacks; not implementing protections to prevent cross-site-scripting; not blocking login attempts after multiple failed login attempts, would help prevent credential stuffing attacks; using an obsolete SSH shell; relying on weak ciphers; no rate limiting; and no CAPTCHA support. Bessemer observed network activity (twice) that were indicators of malware infections.
Security Scorecard rated the fintech company a “C” on an A-to-F scale.
“A company such as Fiserv rated below a B is 5.4 times more likely to suffer a consequential breach, a dismal state of security for a company such as Fiserv that is entrusted with safeguarding highly sensitive information pertaining to the customers of more than one in three financial institutions in the United States” Bessemer wrote in the lawsuit.
Bessemer hiring Security Scorecard was a very practical—and reasonable—decision, since Bessemer was able to see the risks to its own business and operations that were the result of Fiserv’s security decisions. Fiserv even told the SEC in its recent 10-K filings that clients should "conduct ongoing monitoring and risk management for third-party relationships."
“Fiserv’s lax security controls have harmed Bessemer on multiple occasions,” the lawsuit contends.
Assess and Act
Fiserv does not comment on legal matters, but denied any wrongdoing.
It is up to the enterprise to assess the software and technology it buys, and the services it is receiving from providers, and understand its risk posture. When the problems are too serious, the enterprise has to either put in its controls to mitigate the issues or switch to an alternative vendor. In this situation, Bessemer stopped paying Fiserv for the computerized back office and data processing service and will completely sever ties with the company. The lawsuit is seeking unspecified damages from negligence, breach of contract, and unfair trade practices.
“To protect the credit union’s members, the credit union is replacing its core processing vendor and will be taking appropriate legal action against the vendor,” Charles Nerko, the lawyer representing Bessemer in this lawsuit, told SecurityWeek.
“If Fiserv is allowed to continue its course of misconduct, it will be encouraged to continue threatening its clients when security issues are reported, rather than making the proper investments to ensure that consumers’ information is being properly safeguarded and accurately Reported,” the lawsuit said. “That result would significantly threaten the thousands of financial institutions that Fiserv services and the innumerable consumers who entrust Fiserv to safeguard their most sensitive financial information.”