Chime is facing three proposed class-action lawsuits over an alleged data incident orchestrated by an Iran-linked hacktivist group.
The fintech acknowledged a service disruption April 1, noting it was working to resolve an issue and assuring customers that “the money in your account and your personal information are secure.”
Four customers across three lawsuits allege, however, that the hacker group Team 313 breached Chime’s systems and stole personally identifiable information, including but not limited to Social Security numbers, postal and email addresses, phone numbers, account credentials.
“As a result of the events detailed herein, Plaintiff and Class Members suffered harm and loss of privacy, and will continue to suffer future harm,” according to one lawsuit, filed April 17 by Los Angeles-based Chime customer Michael Walsh.
“Victims of the Data Breach are subject to an imminent and ongoing risk of harm, including identity theft and fraud,” according to Walsh’s lawsuit.
A Chime spokesperson said the company believes the claims are without merit.
“We identified and quickly resolved a brief disruption affecting only our marketing website, Chime.com, with no impact to member information. Around the same time, a separate, unrelated internal issue temporarily affected our app,” the spokesperson said. “In both cases, no funds or member data were compromised.”
“Protecting our members’ information is our top priority, and we maintain a robust, industry-leading security program to safeguard their data,” the spokesperson said.
Team 313, also known as 313 Team and The Islamic Cyber Resistance in Iraq, allegedly took responsibility online for crashing Chime’s servers and disabling the application and website.
The breach was “a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect consumers’ PII from a foreseeable and preventable cyber-attack,” alleged Melissa Porter, plaintiff in a lawsuit against Chime filed April 7.
Chime could have prevented consequences of the data breach, including by requiring multifactor authentication to verify access credentials and encrypting data, Porter’s complaint contends.
Plaintiffs Cindy Castaneda of Madera, California, and Lauren Goodloe of Chicago, in a lawsuit jointly filed April 3, alleged injuries including anxiety and poor sleep (for Castaneda) and a late rent payment (for Goodloe) due to their inability to see their account balances and information during the course of Chime’s April 1 outage.
None of the lawsuits include specific issues with plaintiffs’ PII. Rather, they focused on Team 313’s claims of the cyberattack and what’s typically at stake during such attacks.
