Digital lender Varo Bank has been accused of failing to protect the personal information of thousands of customers whose details were exposed in a March data breach.

A lawsuit, which seeks class action status, filed last week against the San Francisco-based lender by James Medlin said Varo failed to protect personally identifiable information stored within the bank’s network, including names, addresses, email addresses, phone numbers, bank account numbers and the last four digits of Social Security numbers.

Varo “disregarded the rights of Representative Plaintiff and Class Members by intentionally, willfully, recklessly and/or negligently failing to take and implement adequate and reasonable measures to ensure that…[their] Private Information was safeguarded,” said the complaint, filed May 14 in U.S. District Court for the Northern District of California.

The lawsuit also alleged that the lender disregarded mandated protocols, policies, and procedures concerning data encryption, even for internal usage, thereby compromising security safeguards.

Varo’s failure to protect the data led to an unauthorized data breach by “an unknown and unauthorized third party— an undoubtedly nefarious third party seeking to profit off this disclosure by defrauding Representative Plaintiff and Class Members in the future,” the lawsuit said.

Though no compensation has been claimed, the lawsuit states that the amount in question exceeds $5 million.

Varo, for its part, said it hadn’t experienced any data breach and that its operations had not been affected. However, customer data was compromised, and an unauthorized third party used customer credentials to log into their Varo accounts, according to a notice the bank sent its customers on May 7.

“Varo’s security measures identified that some clients may have had their credentials compromised from an outside source unaffiliated with Varo. To be clear, Varo did not experience a breach of its network,” a spokesperson for Varo told Banking Dive via email. “Varo proactively reached out to customers to notify them about the issue and provided them with the tools and information to better protect themselves.”

A data breach notice submitted to the Maine Attorney General’s office by Jeff Jones, Varo’s assistant general counsel and chief privacy officer, detailed that the breach impacted 7,007 people and was discovered on April 10.

However, the lender acknowledged that it identified some “unusual activity related to a subset of its customer accounts” on March 12 and promptly blocked it, according to the notice. Varo launched an investigation and completed its review around March 27, concluding some customer information was potentially accessible to an outside source. As a precautionary measure, Varo offered to provide its customers access to free credit monitoring services for two years through TransUnion and asked them to enroll.

Data breaches: reasons and remedies

Though data breaches can occur for various reasons, including human error, insufficient security policies, software vulnerabilities and targeted cyber-attacks, the complexity of the information system can make it challenging to identify every potentially vulnerable point, according to Vahid Behzadan, an assistant professor of computer science and data science at the University of New Haven.

“It sometimes takes a significant amount of time for companies to detect data breaches due to the sophisticated nature of modern cyber threats. Attackers can implant malware that operates stealthily, evading detection by standard security measures,” Behzadan said in an email. 

Moreover, many organizations lack the advanced monitoring tools to detect network anomalies, while a skills gap in many information technology departments can further delay the recognition and understanding of breach indicators, he added.

Cybersecurity spending decisions vary by individual organization. However, Behzadan thinks it’s necessary to have a robust risk management system in place since the “financial consequences and reputational damage from a data breach can be far more costly than the initial investment in cybersecurity.” He noted that it should be considered an essential part of the system rather than optional.

One way to stall data breaches is by encrypting sensitive information, he said. Encrypting sensitive information should be an integral part of data security and “acts as a last line of defense by ensuring that data, even if intercepted, remains unreadable and unusable without the decryption key,” according to Behzadan. Though not foolproof, encryption helps substantially increase attackers’ efforts to utilize stolen data, enhancing any organization’s overall security.

He pointed out that while it might not be feasible to completely prevent data breaches, a robust cybersecurity strategy that includes layers of protection across all information systems and data types can significantly reduce their frequency and impact. 

“Regular security assessments and updates, sophisticated threat detection systems, continuous employee training, and strong incident response plans are essential. Collaboration with cybersecurity experts and investing in technologies such as AI for predictive threat analysis can further help in fortifying defenses against data breaches,” Behzadan noted.