Patelco Credit Union Ransomware Attack Exposed 1 Million People’s Most Sensitive Data

EvilCorporations.com • Case No. 24CV082095 • Cordell, et al. v. Patelco Credit Union • 64 min read

Legal Receipts: What the Documents Actually Say

These are direct quotes from the Class Action Settlement Agreement and supporting declarations filed in Case No. 24CV082095. Nothing has been paraphrased. Read what the parties agreed to in their own words.

“On June 29, 2024, Defendant discovered a ransomware attack involving unauthorized access to some of its databases. Defendant voluntarily shut down some of its day-to-day banking systems to contain the impact. This included online banking, mobile applications and call centers.”

• This confirms that Patelco’s response to the breach was to remove member access to their own accounts. The stated rationale was containment, not member protection. Members bore the operational cost of Patelco’s remediation.
• The disruption is officially documented as lasting from June 29 to approximately July 15, 2024, a sixteen-day window during which normal banking was impossible for over a million people.

“The potentially affected Private Information data elements included names, dates of birth, addresses, Social Security numbers, driver’s license numbers and/or email addresses.”

• This is the full inventory of what was exposed. Social Security numbers and driver’s license numbers are the two most dangerous categories because they are the primary credentials used for identity theft, new account fraud, and government benefit fraud. Both were in the breach.
• The word “potentially” is doing significant legal work here. It shields Patelco from confirming that every class member’s data was definitively accessed, while still requiring those members to release all future claims.

“This Settlement creates a common fund of $7,250,000.00, which provides relief to a Settlement Class involving approximately 1 million individuals.”

• At maximum class participation, this fund equals $7.25 per person before fees, administration costs, and service awards are deducted. Attorneys may request up to 35% of the fund, or up to $2,537,500. Twelve named plaintiffs may each receive up to $2,500 in service awards, totaling up to $30,000 more.
• After those deductions, the residual available for victim payments is a fraction of the headline number. The $7.25 million figure is real money; how much of it reaches the people who were harmed is a different question.

“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and expressly disclaims and denies any fault or liability, or any charges of wrongdoing that have been or could have been asserted in the Complaints. Nothing contained in this Agreement shall be used or construed as an admission of liability.”

• This is boilerplate in corporate settlements, but it has real consequences. Patelco pays $7.25 million and walks away with its reputation legally intact. No finding of negligence, no finding of regulatory violation, no public record of wrongdoing that can be used against it in any future case.
• This clause protects Patelco from the next breach victim, the next regulator, and the next lawsuit. It is not just legal language; it is a shield purchased with the settlement fund.

“Any person whose Patelco account had a negative balance after August 20, 2024, as a result of transactions that occurred between June 29, 2024 and July 14, 2024, and who has not brought that account positive or paid the debt to Patelco in full as of the date of this Settlement Agreement… [are excluded from the Settlement Class].”

• Members whose accounts went negative specifically because of the service disruption caused by Patelco’s breach, and who have not yet repaid those negative balances to Patelco, are excluded from receiving any settlement payment. The people most financially damaged by the breach response are disqualified from compensation.
• A separate exclusion applies to members who took Patelco’s emergency relief loan to cover those negative balances and are now delinquent on repayment. These members are also cut out. The emergency loan became both a lifeline and a trap.

“Business Practice Changes – Plaintiffs have received assurances that Defendant either has undertaken or will undertake specific, reasonable steps to further secure its systems and environments. Defendant… will provide Class Counsel with a confidential declaration… detailing the changes and improvements that have been made or are being made to protect class members’ Private Information.”

• The security improvements are confidential. The public, including the one million affected members, cannot learn what security failure allowed the breach to happen, what was fixed, or whether the fixes are adequate. Only the attorneys who negotiated the settlement can see this declaration.
• “Assurances” and “will undertake” are not the same as completed, audited, verified remediation. The settlement does not require Patelco to prove its security improvements to any independent third party or to the court in a form the public can review.

“Defendant shall have the option to terminate this Agreement if more than 0.5 percent of the Settlement Class Members opt-out of the Settlement.”

• If more than 5,000 of the approximately one million class members opt out (0.5%), Patelco can walk away from the entire settlement. This clause protects Patelco from a scenario where the settlement loses its value as a class-wide release of claims.
• This creates an asymmetry: members who opt out to preserve their individual rights risk triggering a scenario where the entire settlement collapses, leaving all remaining class members with nothing and having to start the litigation process over.

Societal Impact Mapping

Public Health

Identity theft and data exposure carry documented public health consequences that extend well beyond financial harm.

• Social Security numbers and dates of birth, both confirmed as exposed in this breach, are the primary credentials used for medical identity theft. A fraudulent patient can use a victim’s identity to receive care, creating false records that corrupt the real patient’s medical history. Incorrect blood types, allergies, and diagnoses in a corrupted record can cause direct physical harm in an emergency situation.
• The psychological toll of identity theft is clinically documented. Victims report anxiety disorders, depression, and sleep disruption stemming from prolonged uncertainty about financial standing and the ongoing vigilance required to monitor for fraudulent activity. The one million affected individuals now carry this burden indefinitely, because SSNs cannot be changed without extraordinary proof of harm.
• The sixteen-day service disruption specifically affected members’ ability to access funds for essential needs. People who could not verify account balances, transfer funds, or reach customer service during this period may have been unable to fill prescriptions, pay for medical appointments, or manage health-related financial obligations that require real-time banking access.
• Driver’s license numbers were also included in the exposed data. These are used in some states for prescription drug monitoring programs, and fraudulent use of driver’s license credentials can implicate a victim in pharmaceutical fraud investigations, creating encounters with law enforcement that are themselves traumatic.

Economic Inequality

The breach and its settlement structure amplify existing economic inequality in documented and structural ways.

• The settlement’s exclusion of members with unresolved negative balances creates a two-tier system: members who had savings to buffer the disruption are eligible for compensation, while members living paycheck to paycheck, who were most likely to see their accounts go negative during the sixteen-day blackout, are explicitly barred from relief.
• The pro-rata cash payment structure means that the less money you lost in documentable ways, the less you receive. Low-income members who cannot produce documentation of specific losses, such as bank statements, fraud reports, or receipts for identity theft recovery expenses, receive only the nominal $100 pour-over payment, subject to downward pro-rata adjustment. Documenting harm is itself a privilege requiring time, literacy, and access to records.
• The requirement to submit claims within 75 days of notice, using either an online portal or U.S. mail, disadvantages elderly members, members with disabilities, and members without reliable internet access. Those who fail to claim receive nothing and still release all legal rights.
• Social Security number exposure has outsized consequences for lower-income individuals because they have fewer financial buffers to absorb fraudulent activity. A fraudulent tax return filed with a stolen SSN delays a victim’s refund, which for low-income filers can mean months of financial hardship waiting for the IRS to resolve a dispute they did not cause.
• Attorney fees of up to 35%, or roughly $2.54 million, are paid out of the same fund that compensates victims. While legal representation is necessary and the attorneys did perform substantial work, the fee structure means that one-third of every dollar contributed to victim harm resolution leaves victims’ hands before it reaches them.
• Credit monitoring services, offered as part of the remediation package in many breach settlements, are less useful to people who already have poor credit scores or limited credit history, since they are monitoring for a change in a profile that may already be compromised or thin.

The “Cost of a Life” Metric

What Now? How to Protect Yourself and Push Back

If your information was in Patelco’s systems on or around June 29, 2024, your window to act is open. Here is what you can do right now.

Your Immediate Options Under the Settlement

• File a claim for documented losses (Cash Payment A): If you experienced fraud, identity theft, unauthorized charges, or specific financial losses you can document, submit a claim for up to $5,000. You will need supporting documentation: bank statements, fraud reports, receipts for recovery expenses such as credit monitoring subscriptions or attorney consultations.
• File a claim for the flat payment (Cash Payment B): Even without documented losses, you can claim the pour-over flat payment, nominally $100, or $200 if you were a California resident during the breach period. The actual amount adjusts based on how many people file. Submit a claim form at the settlement website before the deadline, which is 75 days after the official Notice Date.
• Opt out to preserve your right to sue: If you believe your losses are substantial enough to warrant individual litigation, you must opt out in writing, signed by hand, before the 45-day Opt-Out Period deadline. Include your full name, address, phone, email, the case name and number (Cordell et al. v. Patelco Credit Union, Case No. 24CV082095), and your Patelco account number. Mail to: Cordell et al. v. Patelco Credit Union Settlement, c/o Angeion Group, 1650 Arch Street, Suite 2210, Philadelphia, PA 19103.
• Object without opting out: If you want the settlement improved but do not want to lose your right to a share, submit a written objection to the Settlement Administrator before the 45-day Objection Period deadline. You can appear at the Final Approval Hearing and address Judge Markman directly.

Regulatory Watchlist

These agencies have jurisdiction over conduct involved in this case. File a complaint, demand enforcement, and track their actions.

• California Department of Financial Protection and Innovation (DFPI): The primary regulator for credit unions chartered in California. File a member complaint directly about Patelco’s data security practices and the service disruption.
• National Credit Union Administration (NCUA): Federal regulator for all federally insured credit unions. Patelco’s federally insured status means NCUA has oversight authority over its cybersecurity standards. File a complaint at mycreditunion.gov.
• Federal Trade Commission (FTC): File an identity theft complaint at IdentityTheft.gov. The FTC’s database tracks breach patterns and informs enforcement actions. Your report adds to the evidentiary record.
• California Attorney General (DOJ): The California Consumer Privacy Act, one of the laws cited in the complaint, is enforced by the California AG’s office. File a CCPA complaint at oag.ca.gov. The AG has independent authority to pursue enforcement regardless of civil settlement.
• Internal Revenue Service (IRS): If your Social Security number was exposed, file IRS Form 14039 (Identity Theft Affidavit) to place a flag on your tax account. Request an Identity Protection PIN (IP PIN) to prevent fraudulent tax returns filed in your name.
• Social Security Administration (SSA): Create or verify your my Social Security account at ssa.gov to detect unauthorized benefit claims. Monitor for unauthorized changes to your earnings record.

Mutual Aid and Grassroots Action

• Freeze your credit at all three bureaus immediately: Experian, Equifax, and TransUnion all offer free credit freezes. A freeze prevents new accounts from being opened in your name. It is free, takes minutes online, and is the single most effective protection against new-account identity theft.
• Place a fraud alert: A free one-year fraud alert requires lenders to take extra verification steps before opening credit in your name. File with one bureau and it automatically notifies the others.
• Share this information in your local community: Many people who received a Patelco breach notification do not know they are in a class action settlement or what their rights are. Share the settlement website and this article with neighbors, family members, and community groups, particularly those who are older, have limited English, or have less digital literacy.
• Connect with local consumer law attorneys: If you experienced documented identity theft, legal aid organizations in your county may provide free consultations. California has robust identity theft remediation laws that go beyond what this settlement provides.
• Demand public accountability from Patelco’s board: Credit unions are member-governed. Members have the legal right to attend annual meetings, ask questions of leadership, and vote on board composition. Use that right. Ask publicly what security improvements were made, who approved the pre-breach security posture, and what accountability, if any, was internal.