Chime Faces Legal Action Over Alleged Cyber Breach
Consumer-facing digital bank Chime has found itself in the crosshairs of multiple proposed class-action lawsuits. The lawsuits, filed in the wake of an April 1 service outage, allege that the pro-Iranian hacker collective known as Team 313 breached Chime’s systems, resulting in the theft of sensitive customer data. Despite these allegations, the fintech firm has publicly maintained that no data compromise occurred during the incident.
Contradictory Claims Spark Controversy
During the April 1 outage that left Chime’s mobile app inaccessible for hours, the company issued a statement on its status page reassuring customers that their financial assets and personal information remained secure. However, three different lawsuits subsequently lodged in the U.S. District Court for the Northern District of California argue otherwise.
These legal actions, initiated by law firm Strauss Borrelli and two other firms, claim that Team 313 infiltrated Chime’s systems on April 1. The alleged breach reportedly resulted in the theft of sensitive customer data, including Social Security numbers, government-issued IDs, and dates of birth.
Plaintiffs Allege Financial Disruptions
Among the complainants are Chime customers Cindy Castaneda and Lauren Goodloe, who filed their lawsuit jointly. They reported being unable to view their account balances during the service disruption. Goodloe expressed concern over a potentially late rent payment due to the outage.
Another plaintiff, Michael Walsh, claimed that he received an alert from his bank concerning an attempt at an unauthorized credit card charge. He also received a notification that his personal information had surfaced on the dark web. A fourth customer, Melissa Porter, cited fear and anxiety as well as the time she spent monitoring her accounts as her primary grievances.
Chime’s Response to Breach Allegations
In response to the allegations, Chime has insisted that no data theft occurred during the April 1 incident. The company has yet to file a notice of a material cybersecurity incident with the Securities and Exchange Commission (SEC). Such a filing is required within four business days of a public company determining that a cybersecurity incident is material, according to a rule adopted by the SEC in 2023.
Chime’s failure to file a disclosure suggests that either the company has not yet concluded whether the incident was material, or it has determined that it was not. Either way, if a court establishes that Chime did indeed suffer a data breach, the company could potentially face legal repercussions under state breach-notification laws and the SEC’s 2023 cybersecurity-disclosure rule.
The Role of Team 313
The alleged involvement of Team 313, a group dubbed “The Islamic Cyber Resistance in Iraq,” adds another layer to the controversy. This group claims credit for the April 1 attack on Chime, stating that it launched a “massive cyberattack” that crashed internal servers and disabled the application and website.
However, it’s worth noting that the group’s primarily employed attack method is a distributed denial-of-service attack, designed to overload a target with traffic to take it offline, rather than steal data. Additionally, cybersecurity firm Hawkeye has previously reported that Team 313 is “known to exaggerate or fabricate breach claims.”
As the legal battle continues, Chime customers and the wider financial sector will no doubt be closely monitoring the situation. The outcome could have significant implications for cybersecurity practices and data protection in the fintech industry.
For more information on this developing story, click here.