Columbia Bank Faces Class Action Over 119-Day Delay in Data Breach Notification
Columbia Bank is under fire after waiting nearly four times the legal limit 119 days to notify customers of a data breach that exposed sensitive personal information. The incident, discovered on December 19, 2023, involved unauthorized access to customer data, including names, Social Security numbers, driver’s license numbers, and financial account details. The breach persisted from October 2 to December 22, 2023, before the bank cut off the attacker.
Affected customers, totaling 7,067 individuals, were only informed via mailed notices beginning April 17, 2024. The delay violates Washington’s Data Breach Disclosure Law, which mandates notification within 30 days of discovery. Oregon resident Kristi Meyers filed a federal class action lawsuit in Seattle on May 14, alleging negligence, invasion of privacy, and violations of Washington’s consumer-protection statutes. Meyers also reported $700 in fraudulent charges on her Columbia Bank debit card, including unauthorized gift card purchases and a gas station transaction in Springfield, Oregon.
Columbia Bank, a $66 billion-asset institution headquartered in Tacoma, Washington, operates over 350 branches across eight Western states. Despite the breach’s scale, the bank determined the incident was not material to investors, avoiding an SEC disclosure under the agency’s new four-day reporting rule for cybersecurity incidents.
The bank’s notice letter revealed little about the attack’s origin, though Meyers’ lawsuit claims the data was stored unencrypted in an internet-accessible environment. Columbia Bank engaged an unnamed forensic firm and law enforcement but did not attribute the delay to an investigative hold. The bank completed its review of affected data on March 6, 2024, taking 77 days within industry standards to assess the exposure before mailing notices 42 days later.
This is the second data breach-related class action against Columbia Bank or its predecessor in three years. The bank has not publicly addressed the breach on its website, and a spokesperson did not respond to requests for comment.
Source: https://www.americanbanker.com/news/how-columbia-bank-kept-a-breach-quiet-for-119-days
Columbia Bank cybersecurity rating report: https://www.rankiteo.com/company/columbiabank
"id": "COL1778841048",
"linkid": "columbiabank",
"type": "Breach",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '7,067 individuals',
'industry': 'Banking',
'location': 'Tacoma, Washington, USA',
'name': 'Columbia Bank',
'size': '$66 billion in assets, over 350 branches '
'across eight Western states',
'type': 'Financial Institution'}],
'customer_advisories': 'Mailed notices sent to affected customers beginning '
'April 17, 2024',
'data_breach': {'data_encryption': 'No (data stored unencrypted)',
'number_of_records_exposed': '7,067',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable and '
'financial information)',
'type_of_data_compromised': ['Names',
'Social Security numbers',
'Driver’s license numbers',
'Financial account details']},
'date_detected': '2023-12-19',
'date_publicly_disclosed': '2024-04-17',
'date_resolved': '2023-12-22',
'description': 'Columbia Bank faced a data breach involving unauthorized '
'access to sensitive customer information, including names, '
'Social Security numbers, driver’s license numbers, and '
'financial account details. The breach persisted from October '
'2 to December 22, 2023, but customers were only notified 119 '
'days after discovery, violating Washington’s Data Breach '
'Disclosure Law. A class action lawsuit was filed alleging '
'negligence and privacy violations.',
'impact': {'brand_reputation_impact': 'Negative publicity, second '
'breach-related class action in three '
'years',
'customer_complaints': 'Class action lawsuit filed',
'data_compromised': 'Sensitive personal information, including '
'names, Social Security numbers, driver’s '
'license numbers, and financial account '
'details',
'financial_loss': '$700 (reported by one customer)',
'identity_theft_risk': 'High (exposure of Social Security numbers '
'and financial account details)',
'legal_liabilities': 'Violation of Washington’s Data Breach '
'Disclosure Law, potential fines and legal '
'actions',
'payment_information_risk': 'High (fraudulent charges reported)'},
'investigation_status': 'Completed (review finished on March 6, 2024)',
'post_incident_analysis': {'root_causes': 'Unencrypted data stored in an '
'internet-accessible environment'},
'references': [{'source': 'Class action lawsuit filing'},
{'source': 'Columbia Bank breach notice letter'}],
'regulatory_compliance': {'legal_actions': ['Federal class action lawsuit '
'filed in Seattle on May 14, '
'2024'],
'regulations_violated': ['Washington’s Data Breach '
'Disclosure Law (30-day '
'notification '
'requirement)'],
'regulatory_notifications': 'Not disclosed to SEC '
'as not deemed material '
'to investors'},
'response': {'communication_strategy': 'Mailed notices to affected customers '
'beginning April 17, 2024; no public '
'statement on website',
'containment_measures': 'Cut off attacker access on December 22, '
'2023',
'law_enforcement_notified': True,
'third_party_assistance': 'Unnamed forensic firm'},
'title': 'Columbia Bank Data Breach and Delayed Notification',
'type': 'Data Breach',
'vulnerability_exploited': 'Unencrypted data stored in an internet-accessible '
'environment'}