Dive Brief:

• Payment processing titan Fiserv was sued over providing inadequate cybersecurity, this time regarding its online banking platform that offers services to small financial institutions.
• Tampa-based FiCare Federal Credit Union said in a complaint filed Tuesday that hackers broke into the system, called Virtual Branch Next, and used the union's connection to take over its customers' accounts and steal money. The payment processor then charged the credit union additional fees for a security upgrade, the complaint alleges. Fiserv denied the allegations in an emailed statement.
• FiCare is seeking monetary damages and the recovery of lost funds from Fiserv, Charles Nerko, an attorney representing FiCare, said in an emailed statement, but the credit union hopes the case prompts the payment company to improve its security. "Litigation can drive both accountability and compensation in a way customer service channels rarely do. If Fiserv billed for security it did not deliver, its customers should be made whole," he said.

Dive Insight:

The lawsuit is the latest legal action against Fiserv. The cases have piled on in recent months as shareholders have accused the company of — among other things — misleading investors about the success of the point-of-sale service Clover by forcing new customers to use it. And, at least one other credit union has alleged the firm used lax online security.

The latest lawsuit involving Clover was filed Tuesday in federal court in Wisconsin and alleges that Fiserv funneled merchants to Clover from a different point-of-sale service to inflate Clover’s revenue, according to the media outlet Bloomberg Law.

As for the credit union lawsuit filed this week, the hacks on FiCare began in 2024, Nerko said. 

Virtual Branch Next aims to help credit unions provide services online such as bill payment and financial management tools.

FiCare customers lost hundreds of thousands of dollars in account takeovers, said the complaint, which was filed in a Tampa federal court. Nerko declined to say precisely how much money was lost.

While the credit union reimbursed affected customers and alerted the payment processor to the problem, Fiserv did not reimburse FiCare for the breaches, according to the complaint.

"Fiserv’s systems lack basic security controls," the credit union said in its lawsuit. "They expose member information to easy compromise. They allow hackers to easily steal staggering amounts from financial institutions. And Fiserv continued to sell and operate these systems while assuring FiCare Federal that everything was secure."

Specifically, Milwaukee-based Fiserv failed to apply safety protocols such as biometric controls and multi-factor authentication, the complaint alleges.

Fiserv told customers in December that it would charge them for a security upgrade, and they had until March to sign a new agreement to receive the enhanced protection, according to the complaint.

The payment processor disputed the allegations outlined in the complaint. "Fiserv disagrees with the claims and will vigorously defend itself in the lawsuit," a company spokesperson said in an emailed statement.

The company's stock plummeted in late October after earnings disappointed investors relative to analyst expectations. Shares are down roughly 49% since Oct. 28.

CEO Mike Lyons, who replaced long-time CEO Frank Bisignano last year, has acknowledged some miscalculations but has defended the company's performance, particularly concerning the migration of its Clover point-of-sale product.