Tinker Federal Credit Union Hit with Class Action Over August 2022 Data Breach [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action claims the cybersecurity failures of Tinker Federal Credit Union (TFCU) and a yet-unknown merchant payment processor (UMPP) were responsible for a “devastating” data breach around August 2022 that exposed the payment card details of potentially more than 445,000 consumers.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 34-page case alleges TFCU, the largest credit union in Oklahoma, and the UMPP, a company that processes credit and debit card payments but whose identity has not been disclosed by TFCU, failed to adequately safeguard consumers’ sensitive financial data from unauthorized access. The complaint states that on August 17 of last year, cybercriminals were able to infiltrate one or both defendants’ computer systems and access customers’ credit and debit card numbers, cardholder names, account numbers, expiration dates, card verification values (CVV) and PIN data for debit cards.

The filing explains that TFCU discovered the cyberattacks on August 18 and posted a notice on its Facebook page the same day, claiming its fraud detection systems were “identifying an unusually high number of debit card fraud attempts.” The company claimed, however, that the incident was “not the result of a TFCU system breach,” but was instead possibly a breach to an unnamed merchant’s system, the case relays.

The suit contends that affected individuals who do not have Facebook accounts may not have been made aware of the breach, especially since TFCU has yet to notify victims by “commonly accepted means,” such as U.S. mail or email, and the company has since removed a notice it briefly posted to its website.

Moreover, both TFCU and the UMPP are preventing victims from taking steps to protect their financial information from misuse by continuing to conceal the identity of the unnamed merchant, the case charges.

In other words, the complaint says, TFCU and the UMPP are “obfuscating the existence and nature of the Data Breach and the threat it poses to Data Breach victims.”

According to the case, the defendants “knew, or reasonably should have known,” that the payment card data stored in their networks were susceptible to an attack, but they nevertheless maintained an “insufficient and inadequate system” to protect consumers’ information. The filing also charges that the companies failed to satisfy industry standards for cybersecurity and neglected to adequately train their employees on reasonable data protection practices.

As a result of TFCU and the UMPP’s negligence, hundreds of thousands of data breach victims face the risk of fraud and identity theft for years to come as their information may be bought and sold on the dark web, the complaint asserts. 

The plaintiff, an Oklahoma resident who holds a bank account with TFCU, says she received a text from TFCU notifying her that an unknown actor used her card information on August 17 to make a $40 purchase at “ARA Wayne State.” Also on that day, TFCU informed the plaintiff via text that her debit card had been “locked,” and the woman was forced to miss work in order to obtain a new debit card from the company, the suit relays. The complaint also says that since the incident, the plaintiff’s PayPal account, which is linked to her TCFU debit card, was accessed by an unauthorized actor.

The lawsuit looks to represent anyone in Oklahoma whose payment card data was compromised in the data breach disclosed by Tinker Federal Credit Union in August 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.