Crippling Patelco Ransomware Attack Leads to Pair of Class Action Lawsuits

Patelco is facing a pair of class action lawsuits after the Dublin-based credit union was targeted in a ransomware attack that has affected potentially hundreds of thousands of customers.

Since the large-scale breach was first reported on June 29, the company, which serves half a million members, shut down access to services including online banking and electronic money transfers. More than a week later, the company’s systems are still not fully operational.

The lawsuits allege Patelco failed to take reasonable steps to protect clients’ private information and caused customers time and monetary damages as a result of the attack.

Scott Cole, the principal attorney on a suit filed by Oakland law firm Cole & Van Note on behalf of Eileen Poluck, said his goal is to ensure the credit union implements better cybersecurity practices and to recover monetary damages for customers who have been harmed.

“There are a lot of people in the state of California that are suffering as a result of what we think is some pretty heavy negligence on part of the organization,” Cole told KQED.

The suit was filed on July 1, the day after Patelco’s 450,000 customers were notified of the ransomware attack. On July 3, San Diego law firm Wolf Haldenstein Adler Freeman & Herz filed a similar suit on behalf of Livermore resident Josh Warren.

Both cases allege that the company failed to protect customers’ personal information, which they were required to provide to access Patelco’s services.

Cole was unable to say how much personal information may have been exposed, but he said “if the extreme is the case … [it could include] Social Security numbers, to things such as the nature of the transactions that they retained the Patelco system with, to a variety of historical information about people’s finances.”

Poluck and other customers have been harmed by “lost time, annoyance, interference and inconvenience” and “anxiety and increased concerns for the loss of privacy,” according to the complaint.

“I have received probably no less than 100 calls and emails from people today, telling stories that range from trying to access money to complete home loan transactions, purchasing homes, accessing their money so they can pay basic bills for survival,” Cole told KQED.

Warren’s case also says that the credit union “knew or should have known that these attacks were common and foreseeable,” and points out that Patelco was the target of a “similar data security incident” in 2023.

Cole said that the two firms have been in touch regarding the suits, and that in similar cases, there is often a consolidation of leadership.

“I feel very confident the lawyers in both firms will work cooperatively and aggressively in litigating this case,” he told KQED.

Rina Johnson, Patelco’s vice president of marketing, told KQED on Wednesday that the company does not have any comment regarding questions of a lawsuit.

“We’re completely focused on getting back up and running right now and making sure our members are supported throughout the process,” Johnson said via email.

In an update sent to customers Tuesday, Patelco President and CEO Erin Mendez said that while the company does not yet know when online banking and access to account information will be fully operational, its “infrastructure is stable, secure and [they] are making positive momentum daily” toward restoring services.

Mendez said the credit union expects to catch up on processing transactions by the end of the week, at which time it will be able to confirm when account access will be restored.

KQED’s Juan Carlos Lara contributed to this report.