List of CUs Suing Fiserv for Alleged Security Lapses Grows by Four in Four Months

The $33.3 million Cencap Federal Credit Union in Hartford, Conn., sued Fiserv in June 2025 over alleged security problems. On Monday, the credit union and the technology company said the case has been settled in principle and that they expect to file a motion to dismiss by the end of April. In 2024, the $46.7 million Bessmer Systems Federal Credit Union in Greenville, Pa., settled its lawsuit with Fiserv, and so did U.S. Court House SDNY Federal Credit Union in 2023.

A Fiserv spokesperson said the current credit union cases fundamentally mischaracterize Fiserv's credit union business and longstanding commitment to protecting its clients.

"Our policies and practices are designed to deliver effective information security programs tailored to each client's business, member preferences and other needs. The features of these programs are detailed in comprehensive written agreements between Fiserv and its clients, something that these lawsuits ignore," the spokesperson said. "Fiserv looks forward to the opportunity of presenting its motion to dismiss arguments and other positions in these actions and to vigorously defending itself in court."

E&G FCU claims Fiserv did not provide a secure and reliable core processing service.

Specifically, Fiserv allegedly failed to maintain adequate safeguards to ensure that transactions were accurately recorded and reconciled, corrupting Educational FCU's books and records. The credit union also alleged Fiserv provided weak multi-factor authentication, (MFA), to protect confidential data.

"On at least one system housing Educational FCU's confidential information, Fiserv has not required any MFA or email passcode challenge at all," the lawsuit claimed. "For other systems housing Educational FCU's confidential information, Fiserv relied on an email passcode challenge instead of MFA. Email does not establish possession of a specific device and does not qualify as a second factor under federal regulatory guidance."

POLAM's lawsuit claimed after experiencing many security and technological deficiencies in Fiserv products, it conducted a review of that company's security controls.

Although the lawsuit did not quantify the number of Fiserv's deficiencies, POLAM alleged Fiserv failed to implement multi-factor authentication (MFA) on the credit union's online banking website and mobile application.

"The Client360 system, which is used by credit union and Fiserv employees for service tickets, change orders and communication that can include confidential information and requests affecting system security, did not have proper MFA implemented," POLAM lawsuit stated. "This system has an email delivered passcode."

MFA also was not allegedly used to protect confidential information on other Fiserv systems used by credit union employees. Because of these security risks, POLAM sent Fiserv a notice of breach in July 2025.

Fiserv is expected to answer POLAM's allegations in April.

In its lawsuit, FiCare alleged Fiserv's online banking platform, Virtual Branch Next, is allegedly insecure because it has been repeatedly hacked and its members have suffered hundreds of thousands of dollars in fraud losses. The complaint did not specify how many members were affected, but FiCare said it reimbursed their losses.

Like POLAM, FiCare's complaint raised questions about Fiserv's MFA practices.

"For its own corporate data, Fiserv deploys layered, possession-based multi-factor authentication, token generators and biometric controls. For FiCare Federal's systems, Fiserv withheld those protections," the credit union stated. "Instead, it relied on authentication methods so weak and susceptible to hacking that federal standards expressly prohibit their use."

In its motion to dismiss FiCare's complaint, Fiserv said the credit union's claims contradict the plain language of the parties' agreement.

"That agreement does not obligate Fiserv to utilize a specific type of MFA, let alone the types of MFA that FiCare now claims to prefer," Fiserv stated. "Although the (FiCare) complaint is lengthy, it does not identify a single contractual provision mandating possession-based MFA, biometric, or any other forms of MFA FiCare wants because there is no such provision."

Fiserv also has asked a federal judge to dismiss the Self-Help lawsuit, which alleged the technology company misrepresented its data security practices and knowingly concealed their deficiencies including MFA.

On Nov. 24, 2025, Self-Help sent a letter to Fiserv that identified its alleged failure to implement MFA despite receiving payment for the service.
Fiserv disputed the breach.

Self-Help sent that letter to Fiserv when it was completing its merger with the $60.5 million Winston-Salem Federal Credit Union (WSFCU) in North Carolina, a Fiserv client for more than 20 years. Fiserv asserted WSFCU never raised security issues before the Nov. 24 demand letter.

"After acquiring WSFCU, Self-Help no longer desired these services," Fiserv said. "Rather than pay the contractual exit and deconversion fees and amicably wind down the relationship, Self-Help manufactured a purported crisis and now seeks to litigate a putative data breach case without ever alleging an actual breach."

Fiserv added that while Self-Help asserts claims about Fiserv's security it does not allege any incident or identify any product that purportedly fails to meet a contractual standard.

Although U.S. District Court Judge Thomas D. Schroder in Greensboro, N.C., did not rule on Fiserv's motion to dismiss the case, he denied the credit union's request for a temporary restraining order. The TRO would have required Fiserv to secure its systems and prevent unauthorized access, among other measures, according to court filings.

Peter Strozniak can be reached at peter.strozniak@arc-network.com.