Tinker Federal Credit Union BIN Attack and Fraud Class Action

This class action concerns something called “a BIN attack” on Tinker Federal Credit Union (TFCU), Oklahoma’s largest credit union, and its two merchant payment processing agents, BOKF which does business as TransFund, a National Association, and Fidelity National Information Services, Inc. (FIS). The complaint alleges that these three defendants did not take adequate measures to protect credit and debit card information, leading to the attack and a rash of credit and debit card fraud.

The class for this action is all citizens of Oklahoma whose payment card data (PCD) was compromised in the BIN attack revealed by the defendants on or around August 2022.

A BIN is a bank identification number, the first six digits of a payment card. A BIN attack occurs when fraudsters run these numbers through sophisticated software that can generate the remaining numbers for cards, then test the card numbers to see which are active and whether any fraud detection protection exists. The fraudsters then extract as much money as possible from the card.

In or around August 2022, the complaint alleges, fraudsters were able to penetrate the systems of one or more of the three defendants, gaining access to PCD—that is, card numbers as well as names, account numbers, and card verification values (CVVs) or PIN numbers for the cards. The complaint alleges, “The BIN Attack was caused by Defendants’ acts and omissions in failing to properly protect … PCD.”

On or around August 18, according to the complaint, TFCU said on Facebook that its fraud detection systems were “identifying an unusually high number of debit card fraud attempts” but that the breach was not in its own systems but possibly in one of its merchant processors systems.

However, the complaint holds all three defendants responsible and alleges that “upon information and belief, TFCU does not follow industry standard practices in securing … information and fails to adequately train its employees on cybersecurity policies, enforce those policies, or maintain reasonable security practices and systems.” It makes the same statement about the other two defendants as well.

According to the complaint, cybercriminals accessed the systems on or around August 17. The complaint claims that “Defendants failed to address an easily exploitable vulnerability, whereby cybercriminal(s) were able to test debit card numbers again and again, until they successfully matched the card numbers that they ultimately used to engage in fraudulent transactions with merchants.”

The complaint further faults TFCU for not notifying the individual victims by normally acceptable means, such as US mail or email, but informing them via text messages, a Facebook notice, and a brief posting at its own website. The complaint accuses it of “obfuscating the nature of the attack” and also “the threat it poses to BIN Attack victims.”

Article Type: Lawsuit
Topic: Privacy
Tags: Credit Cards, Exposing Private Information, Exposure to cyber crime, Negligence, Your Bank, Your Privacy