DUBLIN >> A dozen cases against Patelco Credit Union have been consolidated in Alameda County Superior Court following the massive ransomware attack on the company earlier this year.
A dozen plaintiffs are suing the Dublin-based company alleged negligence, breach of contract and good faith, violations of the California Consumer Privacy Act and other damages caused in “the massive and preventable cyberattack” suffered by the credit union this summer, according to court documents.
Patelco first announced the attack in an email and web post to customers on June 29, at the same time locking customers out of their online bank accounts. This barred anyone, even Patelco tellers and administrators, from checking customer balances, sending or receiving online payments or even logging into their online accounts.
Throughout the two-week ordeal, Patelco continued to push out updates on a dedicated website to notify customers of service updates, such as when online payments through Zelle and PayPal were available. The credit union announced it “stabilized” its network in late July, after the lockout ended on July 15.
The 12 customers suing the credit union include Anand Chaudhry, Jamie Wallace, Joshua Warren, Carl Cordell, Austin Lawhead, Bradley Tanzman, Darren Van Antwerp, Darrel Adams, Wily Lee, Siobhan Gallagher, Sean McGinity and Daniel Corona, court records show. Cordell’s case is labeled the lead case, records show.
In mid-July, the courts began consolidating the 12 cases in August. The group’s lead attorneys, Scott Edward Cole and Alicyn B. Whitley of Oakland-based Cole & Van Note, wrote in court records that the ransomware attack may have affected over a million people. Patelco says it serves over half a million customers and manages over $9 billion in assets.
Patelco also reported $39 million in losses to the National Credit Union Association in the third quarter of this fiscal year, according to a report from the Credit Union Times, a trade journal.
Rina Johnson, a Patelco spokesperson, confirmed to this news organization that the losses were primarily “caused by members overdrawing their accounts during the system outage.”
“For the period ended Sept. 30, 2024, we have adequately reserved for all expected losses related to the security incident,” Johnson said in a statement to the Bay Area News Group last week. “However, the final outcome may not be resolved for an extended period of time and could be different than expected.”
Johnson also confirmed that “Patelco did not pay the ransom.” When asked to elaborate on the size of the ransom request, Johnson declined to comment further.
A case management conference regarding the consolidated cases is scheduled for Jan. 28 in Alameda County Court, records show. No trial date has been set.
The credit union is also being sued by half a dozen other plaintiffs in federal court over the attack.