WASHINGTON—CUNA is trying to recruit at least one credit union from each of the 50 states to join a class-action lawsuit against Home Depot in connection with a massive data breach at the retail giant late last year.
In a statement, CUNA said such an action would "best ensure [that] monetary recovery from the September 2014 data breach at Home Depot is available to credit unions in all states."
Plaintiffs in the case also include other financial institutions around the country. The suit seeks recovery and injunctive relief associated with Home Depot's 2014 data breach. CUNA said the breach resulted in credit unions bearing "tens of millions of dollars" in costs. In October, CUNA estimated the total amount lost by credit unions at about $60 million.
Home Depot has already acknowledged that a total of 56 million credit and debit cards were compromised in the breach.
According to its recent financial performance report filed with the SEC, Home Depot claimed the breach was caused by hackers who intruded upon the company's payment data systems, "which potentially impacted customers who used payment cards at self-checkout systems in our U.S. and Canadian stores."
Those hackers used a vendor's user name and password to enter the perimeter of Home Depot's network, the company added. Subsequently, the intruders acquired rights that allowed it to navigate parts of the retailers' systems and to deploy a malware system on its self-checkout systems to access payment card information.
Susan Parisi, chief counsel of CUNA, emphasized that credit unions still need to make their own decision about whether joining as a named plaintiff is right for them.
The trade group also assured that credit unions who choose not to participate as named parties could still likely participate as class members. No immediate action is needed by credit unions not wishing to be named parties.
CUNA also said that parties to the lawsuit must be identified and evaluated by the May 15 deadline for inclusion in the suit.
"Credit union members need a solution to the problem of merchant data breaches," said CUNA CEO Jim Nussle in a statement. "Credit unions around the country have been dealt a huge blow by merchant data breaches and CUNA expended significant resources and has been diligently working with its credit union members to address and respond to the Home Depot data breach." Nussle added that CUNA did not make the decision to join the lawsuit lightly. "We stand with our credit union members and believe consumers must be protected from merchant negligence," he stated. "Home Depot continues to operate using the inferior systems and procedures that gave rise to the breach and it is unacceptable."
CUNA has retained the services of legal firms Scott + Scott, LLP and Hausfield of Washington in its lawsuit.
According to the litigation filing, a number of credit unions are already listed as plaintiffs in the suit, including Northeastern Engineers Federal Credit Union (a $64-million institution in Richmond Hill, N.Y.); Southern Chautauqua Federal Credit Union ($62 million, Lakewood, N.Y.), Suncoast Credit Union ($6 billion, Tampa, Fla;) and Animas Credit Union ($126 million, Farmington, N.M.)
A partial list of plaintiffs can be found here.