Fintech giant Fiserv sued by Pa. credit union for ‘baffling security lapses’

The complaint alleges that Fiserv left a Pennsylvania-based credit union's banking website littered with vulnerabilities.
Fiserv lawsuit

A Pennsylvania credit union has sued fintech giant Fiserv for allegedly failing to address persistent vulnerabilities in the platform that powers its banking websites and online applications.

In a lawsuit filed Friday, Bessemer System Federal Credit Union said that the web platform maintained by Fiserv, is “plagued with security vulnerabilities that affect the privacy of thousands of Bessemer’s members.”

Those vulnerabilities were “based on baffling and amateurish security lapses,” the document alleges.

The complaint describes Wisconsin-based Fiserv’s technology as the “lifeblood of Bessemer” in that it is used to run the website, generate statements and track deposits.


But now, the credit union says it’s ditching Fiserv, a Fortune 500 company that says it has some 12,000 clients in over 80 countries.

“To protect the credit union’s members, the credit union is replacing its core processing vendor and will be taking appropriate legal action against the vendor,” said Charles Nerko, a lawyer representing Bessemer System FCU. Reached by phone, Nerko declined to comment further.

The credit union is claiming it is owed relief from alleged damages caused by Fiserv on a number of grounds – including alleged negligence, unfair trade practices, and breach of contract.

The complaint, which was filed in a Mercer County, Pennsylvania court, also accused Fiserv of threatening “civil and criminal prosecution if Bessemer discussed Fiserv’s security problems with third parties.”

Fiserv spokeswoman Ann Cave said the company does not comment “outside of the legal process on pending legal matters.”


Fiserv earned $5.8 billion in revenue in 2018, according to SEC filings. It is one of three companies whose technology accounts for much of the digital infrastructure used by small banks, according to a recent Wall Street Journal article. Some small banks have started to chafe at their reliance on the services provided by those “core vendors,” The Journal reported.

By contrast, Bessemer System FCU is a local outfit, based in the northwestern Pennsylvanian town of Greenville and founded nearly 80 years ago by employees of the Bessemer and Lake Erie Railroad, according to its website. According to data from the National Credit Union Administration, Bessemer has 4,311 members that account for nearly $38 million in assets.

This is not the first time that public attention has been brought to security issues in the Fiserv platform. Last August, independent security journalist Brian Krebs reported that the company had just plugged a “glaring weakness” in its platform that had exposed personal and financial data on customers across hundreds of bank websites.

You can read the full lawsuit here.

[documentcloud url=”” responsive=true]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts