Apr 29, 2019

Fintech firm Fiserv sued over alleged security lapses and pervasive bugs

The financial technology firm Fiserv, a major maker of banking software, is being sued by a Pennsylvania credit union over alleged "baffling security lapses," significant bugs and rampant billing errors.

Why it matters: Fiserv is a major global provider whose software is critical for banks. Problems with its products could affect as many as 12,000 clients, per the Fiserv website, and cause significant damage. In the lawsuit, the Bessemer System Federal Credit Union refers to Fiserv's products as the "lifeblood" of its company.

  • CyberScoop published a copy of the complaint here.

Details: Bessemer accuses Fiserv of a "baffling" history of security problems.

  • Some of those problems are public, including a 2016 breach and a widely reported security problem that left customer data exposed last year, as first reported by Brian Krebs.
  • Others came from Bessemer's own auditing. After the Krebs story, Bessemer investigated the Fiserv platform and noted problems it alleges would allow a hacker to register an online account tied to the bank accounts of offline customers and bypass the Bessemer terms of service.
  • After notifying Fiserv of the security problems, Fiserv allegedly threatened legal action.
  • Fiserv got a "C" rating from Security Scorecard, which checks for common website security software flaws.

Other allegations against Fiserv include:

  • Frequent billing problems, including charges for services that had been canceled or never requested.
  • Bugs that routinely caused problems in customer data, including misrepresenting when users submitted loan payments, accidentally canceling a user's account and not reporting that a loan had been paid off.
  • Bugs that affected the bank's operations, like outages of the system responsible for federally mandated FinCEN audits, putting the wrong return address on a mailing to customers, which made it impossible for the bank to find out when the letter was not delivered, and system problems that prevented employees from logging out or printing checks.

When asked for comment, a representative for Fiserv emailed: "We believe the allegations have no merit and will respond to them as part of the legal process."

Go deeper