Chime Faces Class Action Lawsuit Over Alleged Data Breach and Cybersecurity Failures
On April 3, 2026, two Chime customers Cindy Castaneda and Lauren Goodloe filed a class action lawsuit against the San Francisco-based fintech company in the U.S. District Court for the Northern District of California. The suit alleges Chime failed to protect customer data and account access during a cyberattack on April 1, 2026, that disrupted its platform.
The plaintiffs claim they lost access to their accounts during the outage. Castaneda reported being unable to view updated balances in her checking and savings accounts, while Goodloe encountered a black screen displaying outdated information, preventing him from transferring funds or paying bills. The lawsuit states that at the attack’s peak, an estimated 20,000 users experienced issues, with no alternative access to funds due to Chime’s digital-only banking model.
The cyberattack was allegedly carried out by Team 313, a group known for data theft and extortion, which claimed responsibility on its leak site and social media. The lawsuit accuses Chime of failing to meet industry cybersecurity standards, including FTC guidelines, the NIST Cybersecurity Framework, and CIS Critical Security Controls, despite its privacy policy promising robust protections. Additionally, the plaintiffs allege Chime did not notify affected customers in a timely manner, leaving them unable to take protective measures like monitoring accounts or placing fraud alerts. The complaint suggests that stolen personally identifiable information (PII) may already be or soon will be published on the dark web, though Chime has not confirmed this.
The lawsuit includes eight legal claims, among them:
- Negligence and negligence per se for failing to exercise reasonable care in data protection.
- Breach of implied contract and good faith for not delivering on promised security measures.
- Unjust enrichment for profiting from data collection without adequate safeguards.
- Violations of California’s Unfair Competition Law and Consumer Privacy Act for allegedly unlawful business practices and insufficient security for unencrypted PII.
- A request for a declaratory judgment to formally establish Chime’s data security obligations.
The plaintiffs are seeking compensatory and punitive damages, restitution, injunctive relief to enforce security improvements, and attorneys’ fees. The proposed class includes all U.S. residents whose PII was compromised in the April 2026 breach. The case remains pending in federal court in San Francisco, with no settlement or claims process currently in place.
Chime cybersecurity rating report: https://www.rankiteo.com/company/chime-card
"id": "CHI1775493513",
"linkid": "chime-card",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Estimated 20,000 users',
'industry': 'Financial Services',
'location': 'San Francisco, California, USA',
'name': 'Chime',
'type': 'Fintech, Digital Bank'}],
'customer_advisories': 'Delayed notifications to affected customers',
'data_breach': {'data_encryption': 'Insufficient (unencrypted PII)',
'data_exfiltration': 'Alleged (potentially published on the '
'dark web)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (unencrypted PII)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII)'},
'date_detected': '2026-04-01',
'date_publicly_disclosed': '2026-04-03',
'description': 'Two Chime customers filed a class action lawsuit against the '
'fintech company alleging failure to protect customer data and '
'account access during a cyberattack on April 1, 2026, that '
'disrupted its platform. The lawsuit claims Chime did not meet '
'industry cybersecurity standards and failed to notify '
'affected customers in a timely manner, leaving them '
'vulnerable to identity theft and fraud.',
'impact': {'brand_reputation_impact': 'Negative impact due to alleged '
'cybersecurity failures and delayed '
'notifications',
'data_compromised': 'Personally Identifiable Information (PII)',
'identity_theft_risk': 'High (PII potentially published on the '
'dark web)',
'legal_liabilities': 'Class action lawsuit, potential regulatory '
'fines',
'operational_impact': 'Users unable to access accounts, view '
'balances, transfer funds, or pay bills',
'systems_affected': "Chime's digital banking platform"},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged'},
'investigation_status': 'Pending',
'motivation': 'Data Theft, Extortion',
'post_incident_analysis': {'root_causes': 'Alleged failure to meet industry '
'cybersecurity standards and '
'protect unencrypted PII'},
'ransomware': {'data_exfiltration': 'Alleged'},
'references': [{'source': 'Class Action Lawsuit Filing'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit',
'regulations_violated': ['FTC Guidelines',
'NIST Cybersecurity '
'Framework',
'CIS Critical Security '
'Controls',
'California Consumer '
'Privacy Act',
'California Unfair '
'Competition Law']},
'response': {'communication_strategy': 'Delayed customer notifications'},
'threat_actor': 'Team 313',
'title': 'Chime Class Action Lawsuit Over Alleged Data Breach and '
'Cybersecurity Failures',
'type': 'Data Breach, Cyberattack, Service Disruption'}