Evil Corporations | Corporate Accountability Project | Financial Services
Data Breach
Patelco Exposed 1 Million Members’ Social Security Numbers and Let Ransomware Attackers Walk Away
A member-owned credit union trusted with its customers’ most sensitive financial data failed to stop an unauthorized actor from accessing nearly one million people’s names, Social Security numbers, driver’s license numbers, dates of birth, and home addresses.
$7.25M
Settlement Fund
~1M
Members Affected
17 Days
Service Disruption
$5,000
Max Per-Member Payout
TL;DR
In June 2024, Patelco Credit Union, a member-owned financial cooperative based in Dublin, California, suffered a ransomware attack that exposed the private information of approximately one million people. The stolen data included Social Security numbers, driver’s license numbers, dates of birth, addresses, and email addresses, representing some of the most sensitive personal information an institution can hold. Patelco shut down its banking systems for over two weeks, locking members out of online banking, mobile apps, and call centers during a critical period. The institution settled a class action for $7.25 million, admitting no wrongdoing, while members who suffered documented financial harm are entitled to just $5,000 maximum and everyone else receives between $100 and $200.
One million people trusted Patelco with their most sensitive data. Patelco failed them. Demand real accountability, not a $100 check.
$7.25M
Total Settlement Fund
~1M
Individuals Affected
Jun 29
2024: Breach Discovered
17 Days
Banking System Blackout
$5,000
Max Documented Loss Claim
$100-200
Standard Member Payout
35%
Max Attorneys’ Fee Request
$2,500
Service Award Per Plaintiff
⚠️ The Full Breakdown
Core Allegations
What Patelco is accused of · 6 points
▾
| 01 | Patelco Credit Union, a member-owned financial cooperative, suffered a ransomware attack on June 29, 2024, in which an unauthorized actor accessed databases containing the private information of approximately one million members. | high |
| 02 | The exposed data included names, dates of birth, home addresses, Social Security numbers, driver’s license numbers, and email addresses: the precise combination required to commit identity theft, tax fraud, and financial account takeover. | high |
| 03 | Patelco voluntarily shut down online banking, mobile applications, and call centers for approximately 17 days (June 29 through July 15, 2024), leaving members unable to access their own money or financial services. | high |
| 04 | Patelco waited until approximately August 20, 2024, nearly two months after discovering the breach, before notifying affected members whose information may have been compromised. | high |
| 05 | Plaintiffs allege negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, violations of California’s Unfair Competition Law, violations of the California Consumer Privacy Act, and violations of the California Customer Records Act. | med |
| 06 | More than 1,000 class members personally contacted class counsel with requests for information, reflecting the scale of confusion, fear, and harm caused by the breach and the accompanying service blackout. | med |
Economic Fallout
Financial harm to members · 5 points
▾
| 01 | Members locked out of banking systems for 17 days faced potential inability to pay bills, access emergency funds, make payroll (for small business owners), or conduct routine transactions during the disruption window of June 29 through July 15, 2024. | high |
| 02 | Some members experienced negative account balances caused by transactions that processed during the service disruption, resulting in debt obligations. Patelco created a separate exclusion category for members with unresolved negative balances or delinquent emergency loans. | high |
| 03 | Members must now bear the cost and ongoing burden of monitoring their credit, placing fraud alerts, freezing their credit files, and responding to potential identity theft for years into the future. | high |
| 04 | The $7.25 million settlement divided among approximately one million affected people produces a base payout of roughly $7.25 per person before attorneys’ fees (up to 35% of the fund) and administration costs are deducted. California residents receive two shares; all others receive one. | med |
| 05 | Members who suffered documented losses must collect and submit receipts, account statements, and professional service invoices to qualify for up to $5,000; those who cannot meet this evidentiary burden receive only $100 to $200. | med |
Regulatory Failures
How oversight broke down · 4 points
▾
| 01 | Patelco settled without admitting any wrongdoing, meaning no public finding of regulatory failure, inadequate security practices, or negligence was ever formally established, despite allegations under the California Consumer Privacy Act and California Customer Records Act. | high |
| 02 | California law requires prompt notification to affected individuals following a data breach. Patelco’s approximately 52-day delay between discovering the breach (June 29) and notifying members (August 20) raises questions about compliance with California’s data breach notification requirements. | high |
| 03 | Security improvements Patelco promised as part of the settlement remain confidential. A confidential declaration detailing remediation steps was provided to class counsel only, meaning the public has no ability to verify whether Patelco’s systems are now meaningfully safer. | med |
| 04 | As a federally insured, member-owned credit union, Patelco was subject to NCUA cybersecurity guidance. A successful ransomware attack of this scale raises unresolved questions about whether Patelco maintained adequate security controls required of federally regulated financial institutions. | med |
Corporate Accountability Failures
Weak penalties, no admission of fault · 5 points
▾
| 01 | Patelco explicitly and repeatedly denied all allegations, denied any wrongdoing, and denied that a class should be certified. The settlement resolved all claims without any public acknowledgment that members were failed or that security was inadequate. | high |
| 02 | No individual executive, officer, or board member of Patelco faces personal accountability, financial penalty, or professional consequence under the terms of the settlement. | high |
| 03 | Class counsel requested attorneys’ fees of up to 35% of the $7.25 million settlement fund, potentially as high as $2.5375 million in fees alone, leaving substantially less for the approximately one million affected members. | med |
| 04 | Members who do not file a valid claim forfeit all rights to sue Patelco over the breach, even if they suffer identity theft or financial loss years later that is traceable to the exposed data. | high |
| 05 | Patelco retains the right to terminate the settlement entirely if more than 0.5% of the approximately one million class members opt out, giving the institution substantial leverage over participation rates and settlement dynamics. | med |
The Data Economy and Your Privacy
Why this data matters · 4 points
▾
| 01 | Social Security numbers cannot be changed and remain valid for life. Every person whose SSN was exposed in this breach now carries a permanent vulnerability to identity theft, fraudulent tax filing, unauthorized credit accounts, and government benefits fraud. | high |
| 02 | The combination of SSNs, driver’s license numbers, full names, dates of birth, and addresses exposed in this breach constitutes a complete identity profile. On criminal marketplaces, complete identity packages of this type sell for far more than the $100 to $200 settlement payout available to most members. | high |
| 03 | Ransomware attacks often involve a two-stage strategy: encrypting systems for ransom and exfiltrating data for sale. The settlement does not publicly confirm whether Patelco’s data was exfiltrated and sold, or simply held for ransom, leaving members with incomplete information about the actual scope of exposure. | med |
| 04 | Members’ financial data, account history, and personally identifiable information was held by Patelco not as a product, but as a trust. The institution profited from member relationships while failing to invest sufficiently in the security infrastructure required to protect the data those relationships generated. | med |
Pathways for Reform
What real accountability looks like · 4 points
▾
| 01 | Federal mandatory minimum cybersecurity standards for financial institutions of all sizes, including credit unions, must be strengthened and publicly enforced. The current framework allows institutions to settle breaches privately without mandatory disclosure of security failures or remediation progress. | med |
| 02 | Data breach notification windows must be shortened. California’s existing law requires prompt notification; regulators and legislators should define “prompt” as 72 hours for financial institutions holding Social Security numbers, consistent with GDPR standards in Europe. | med |
| 03 | Settlement structures that pay attorneys 35% of funds while members receive $100 to $200 require legislative reform. Class members harmed by data breaches deserve proportionate compensation that reflects the long-term, unquantifiable nature of identity theft risk. | med |
| 04 | Affected members should place free credit freezes with all three major bureaus (Equifax, Experian, TransUnion), file an IRS Identity Protection PIN application, and enroll in free credit monitoring. These are free steps that significantly limit exposure from a breach of this type. | low |
🕐 Timeline of Events
June 29, 2024
Patelco Credit Union discovers a ransomware attack. Unauthorized actors have accessed databases containing member private information. Patelco voluntarily shuts down online banking, mobile apps, and call centers.
July 2, 2024
Plaintiff Carl Cordell files the first lawsuit against Patelco Credit Union. Multiple additional lawsuits are filed in the following weeks.
July 15, 2024
Service disruption ends. Members regain access to banking services after 17 days of lockout.
August 20, 2024
Patelco begins notifying affected members via direct email and substitute notice as required by California law, approximately 52 days after discovering the breach.
August 30, 2024
The court consolidates all related cases and designates the Cordell matter as the lead case. Three firms are appointed as Interim Co-Lead Class Counsel.
October 4, 2024
Plaintiffs file the operative Consolidated Class Action Complaint asserting negligence, breach of contract, CCPA violations, and CCRA violations.
December 19, 2024
First mediation session takes place. The case does not resolve, but counsel gains greater understanding of the facts and each side’s positions.
February 24, 2025
Second mediation session takes place. Again, the case does not immediately resolve.
March 6, 2025
The parties accept a mediator’s proposal and reach agreement in principle on the $7.25 million settlement.
April 18, 2025
Plaintiffs file the Motion for Preliminary Approval of the Class Action Settlement with the Superior Court of California, Alameda County.
May 22, 2025
Preliminary approval hearing is scheduled before Judge Michael Markman in Department 23.
💬 Direct Quotes from the Legal Record
QUOTE 1
Scale of breach: approximately 1 million people
Core Allegations
“This Settlement creates a common fund of $7,250,000.00, which provides relief to a Settlement Class involving approximately 1 million individuals.”
💡 One million people had their most sensitive personal data exposed. The $7.25 per person (before fees) that this settlement implies is not accountability. It is a rounding error on a catastrophe.
QUOTE 2
Types of data exposed
Core Allegations
“The potentially affected Private Information data elements included names, dates of birth, addresses, Social Security numbers, driver’s license numbers and/or email addresses.”
💡 This is the complete toolkit for identity theft. Social Security numbers in particular cannot be replaced, meaning members face a lifetime of elevated risk from this single security failure.
QUOTE 3
Banking blackout: members locked out for 17 days
Economic Fallout
“Defendant voluntarily shut down some of its day-to-day banking systems to contain the impact. This included online banking, mobile applications and call centers.”
💡 Members who relied on Patelco for rent payments, payroll access, or emergency funds were locked out for over two weeks with little recourse. This is not a minor inconvenience: it is a failure to maintain basic service obligations to the people who trusted the institution with their financial lives.
QUOTE 4
No admission of wrongdoing
Corporate Accountability Failures
“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and expressly disclaims and denies any fault or liability.”
💡 One million people had their data stolen, their banking access severed, and their future security compromised, and the institution responsible walks away without admitting it did anything wrong. This is the standard outcome of data breach settlements in America, and it must change.
QUOTE 5
Security “improvements” kept confidential from the public
Regulatory Failures
“Defendant has provided confidential discovery regarding the number of individuals in the Settlement Class, the facts and circumstances of the Data Security Incident and Defendant’s response thereto, and will provide Class Counsel with a confidential declaration.”
💡 The public, including the one million people whose data was stolen, never gets to see what security failures actually caused this breach or verify that Patelco fixed them. Confidentiality agreements shield institutions from the transparency that would actually protect consumers going forward.
QUOTE 6
Members who don’t file a claim still lose their rights
Corporate Accountability Failures
“If a Settlement Class Member does not submit a Valid Claim or opt-out, the Settlement Class Member will release his or her claims against Defendant without receiving a Settlement Class Member Benefit.”
💡 Members who are unaware of the settlement, do not receive notice, or simply do not act will permanently surrender their right to sue over the breach while receiving nothing in return. This structure systematically benefits the corporation at the expense of those least equipped to navigate a legal claims process.
QUOTE 7
Attorneys’ fee request: up to 35% of the fund
Corporate Accountability Failures
“Class Counsel shall apply to the Court for an award of attorneys’ fees of up to 35% of the Settlement Fund, plus reimbursement of costs.”
💡 If approved, attorneys could receive up to $2.54 million from the $7.25 million fund. This leaves substantially less than $5 million to be divided among approximately one million people, or under $5 per person before administration costs are also deducted.
QUOTE 8
Patelco’s opt-out termination trigger
Corporate Accountability Failures
“Defendant shall have the option to terminate this Agreement if more than 0.5 percent of the Settlement Class Members opt-out of the Settlement.”
💡 Patelco reserved the right to walk away from the entire settlement if more than 5,000 of the approximately one million affected members chose to pursue their own claims. This provision structurally discourages members from exercising their legal right to opt out.
💬 Commentary
What exactly happened to Patelco members’ data?
▾
Ransomware attackers gained unauthorized access to Patelco Credit Union’s databases on or before June 29, 2024, when the attack was discovered. They potentially accessed names, dates of birth, home addresses, Social Security numbers, driver’s license numbers, and email addresses for approximately one million members. Patelco shut down its digital banking infrastructure to contain the attack, locking members out for 17 days. The full scope of what the attackers actually did with the data, whether they exfiltrated it, sold it, or only used it as leverage for ransom, has not been publicly confirmed.
Is $7.25 million a meaningful amount of accountability for a breach affecting one million people?
▾
No. Seven million dollars sounds large in isolation, but divided among approximately one million people, it represents about $7.25 per person before attorneys’ fees and administration costs. If the court approves the maximum 35% fee request, attorneys receive $2.54 million, leaving under $5 per person in the pool. The standard payout for members without documented losses is $100 to $200. For comparison, Patelco is a credit union with billions in assets. The settlement is structured to resolve the litigation efficiently, not to compensate members for the lifetime of identity theft risk they now carry as a result of this failure. This is a structural problem with how data breach settlements work in American courts, not unique to this case.
Why did Patelco take two months to notify members?
▾
The settlement documents do not provide a public explanation for the approximately 52-day delay between Patelco discovering the breach on June 29, 2024 and notifying members starting around August 20, 2024. Institutions typically use the time between breach discovery and member notification to investigate the scope of exposure, engage forensic security firms, and prepare remediation steps. However, every week of delay is a week in which affected members cannot take protective action: freezing their credit, placing fraud alerts, or monitoring for identity theft. California law requires prompt notification after a breach, and the adequacy of Patelco’s timeline was one of the contested issues in this litigation. No court has ruled on whether the delay was unlawful because the case settled before trial.
Why did Patelco settle without admitting wrongdoing?
▾
Every data breach class action settled in the United States contains a no-admission clause. Corporations routinely settle not because they concede they did anything wrong, but because litigation is expensive, outcomes are uncertain, and settlements cap total liability. From Patelco’s perspective, paying $7.25 million to resolve all claims from one million people is far cheaper than the cost of years of litigation with no guarantee of a favorable outcome. From a systemic perspective, no-admission settlements mean that corporations can fail their customers catastrophically, pay a fraction of the actual harm caused, and continue operating with their legal record clean. This is not a bug in the system. It is a feature designed to protect institutions at the expense of the people who trusted them.
How does this breach affect members long-term?
▾
Social Security numbers are permanent. Unlike a compromised password, a stolen SSN cannot be changed. Every member whose SSN was exposed in this breach now faces a lifetime of elevated risk: fraudulent tax returns, unauthorized credit accounts opened in their name, government benefits fraud, medical identity theft, and employment identity theft. Driver’s license numbers can sometimes be changed, but the process is burdensome and not automatic. The combination of SSN, driver’s license number, date of birth, full name, and home address that Patelco exposed represents a complete identity package. On criminal marketplaces, this data has real market value. The $100 to $200 most members will receive does not begin to compensate for a lifetime of vigilance, freeze maintenance, and identity monitoring those members must now undertake.
What is a credit union supposed to do to protect member data?
▾
Credit unions are federally regulated financial institutions subject to NCUA cybersecurity guidance. They are required to implement reasonable security controls, conduct risk assessments, maintain incident response plans, and protect member data with measures appropriate to the sensitivity of the information held. Patelco maintained Social Security numbers, driver’s license numbers, and financial account information for approximately one million people. This is among the most sensitive categories of data a financial institution can hold. A ransomware attack succeeding at this scale suggests that security controls were inadequate relative to the threat environment. What specifically failed, whether in network segmentation, access controls, endpoint security, or backup and recovery, has not been publicly disclosed because Patelco’s post-breach security review was provided to class counsel under confidentiality.
Is Patelco unique in this type of failure, or is this a broader pattern?
▾
Ransomware attacks against financial institutions, healthcare providers, municipalities, and other organizations that hold sensitive personal data are a systemic crisis in American institutions. Dozens of large-scale data breaches affecting millions of people settle every year for amounts that work out to dollars per person. The institutions involved routinely admit no wrongdoing, pay a fraction of the actual harm caused, and continue operating. The gap between the economic harm suffered by individuals, which can include years of credit monitoring costs, identity theft remediation expenses, and emotional distress, and the dollar amounts available in settlements reflects a legal and regulatory framework that consistently prioritizes institutional convenience over individual accountability. Patelco’s breach is one data point in a pattern that will continue until regulators impose meaningful penalties and require genuine transparency about security failures.
What can I do to prevent this from happening again?
▾
If you are a Patelco member or were affected: immediately freeze your credit at all three bureaus (Equifax, Experian, TransUnion); each offers free credit freezes by law. Apply for an IRS Identity Protection PIN at irs.gov/identity-theft-central to prevent fraudulent tax returns. Monitor your accounts and credit reports. File a valid claim in the settlement before the deadline if you are a class member. Beyond individual action, this pattern of corporate accountability failure requires collective political pressure. Contact your state and federal representatives and demand mandatory minimum data security standards for financial institutions, shorter breach notification windows, and settlement structures that meaningfully compensate harmed individuals rather than functioning primarily as litigation exit ramps for corporations.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
