Corporate Accountability Project
Banking Industry · Data Security · Class Action
California, 2023-2025
Data Security Breach · Corporate Misconduct
Tri Counties Bank
Left 74,000 Customers
Exposed
In February 2023, a cyberattack stripped away the most sensitive personal data of 74,385 customers. Social Security numbers, medical records, passport numbers, financial accounts, and mother’s maiden names were stolen. The bank waited eight months to tell anyone.
HIGH SEVERITY: Mass exposure of financial, medical, and identity data affecting tens of thousands of California banking customers
The Short Version
In February 2023, hackers broke into Tri Counties Bank’s computer systems and stole a database containing some of the most sensitive personal information imaginable. Social Security numbers, driver’s license numbers, medical information, health insurance data, passport numbers, financial account details, digital signatures, tax IDs, and mother’s maiden names for 74,385 people were taken. The bank sat on this information for eight months before notifying affected customers in October 2023. A class action lawsuit brought by three California women forced the bank to the table, resulting in a $1.185 million settlement fund, plus more than $1 million in security upgrades the bank committed to making. That’s a combined total economic value of over $2.185 million. The bank denies wrongdoing. The data is already out there.
Demand that banks protect your data before breaches happen, not after. Push for stronger federal data security standards for financial institutions.
Key Numbers
74,385
Customers whose private data was exposed
$1.185M
Cash settlement fund for victims
$1M+
Security upgrades bank committed to implement
$2.185M
Total economic benefit to class members
8 Months
Time before customers were notified of the breach
$5,000
Maximum individual documented loss payment
THE ALLEGATIONS
Core Allegations: What They Did
Negligence, inadequate security, delayed notification · 6 points
▾
01
A threat actor breached Tri Counties Bank’s computer systems on February 7 and 8, 2023, and acquired database files containing private information of 74,385 customers.
High
02
The stolen data included Social Security numbers, driver’s license numbers, financial account information, medical information, health insurance information, dates of birth, passport numbers, digital and electronic signatures, tax identification numbers, access credentials, and mother’s maiden names.
High
03
The bank did not begin notifying affected individuals until October 12, 2023, approximately eight months after discovering the breach, leaving customers exposed to identity theft and fraud without their knowledge.
High
04
Plaintiffs allege that Tri Counties Bank failed to implement adequate data security practices, constituting negligence and breach of contract, and that these failures directly caused the harm suffered by class members.
High
05
Three separate class action lawsuits were filed in California courts within weeks of the October 2023 notification, indicating the breach was known to have caused widespread harm.
Med
06
The bank does not dispute that the data security incident occurred. The company’s own general counsel signed the settlement agreement, acknowledging the breach as fact.
Med
Corporate Accountability Failures
Weak penalties, denial of liability, settlement without admission · 5 points
▾
01
Tri Counties Bank explicitly denies any and all wrongdoing in the settlement agreement, meaning 74,385 people had their most sensitive data stolen, and the bank faced zero official admission of responsibility.
High
02
The $1.185 million cash settlement fund divided across 74,385 affected customers means that, before deducting attorneys’ fees, administrative costs, and service awards, the average customer receives a fraction of what their stolen personal information is worth on illicit markets.
High
03
Attorneys may request up to 35% of the total economic benefit ($2.185 million) as fees, meaning legal costs could absorb a significant portion of the cash available to victims.
Med
04
The settlement agreement states it cannot be used as evidence of wrongdoing in any other proceeding, effectively shielding the bank from future accountability based on this incident.
High
05
No individual bank executive faces personal liability or named accountability under the settlement. The institution pays; no individual within it is held responsible.
Med
Economic Fallout for Victims
Financial harm to consumers and class members · 5 points
▾
01
Affected customers faced documented out-of-pocket costs including the expense of purchasing credit reports, credit monitoring services, fraud resolution services, and addressing actual identity theft and fraud traceable to the breach.
High
02
The settlement only reimburses documented losses up to $5,000 per person, and only for losses customers can prove with receipts and bank statements. Victims without thorough documentation receive a maximum of $100.
Med
03
The exposure of financial account information, access credentials, and digital signatures creates ongoing fraud risk that extends far beyond the settlement period, yet the settlement releases all future claims against the bank.
High
04
California residents receive an additional $150 statutory cash payment, acknowledging that state consumer protection laws recognize harm beyond documented losses. Customers in other states receive no such additional protection.
Med
05
The identity theft and fraud monitoring offered covers only one year and one credit bureau, a narrow remedy for data that includes Social Security numbers and passport numbers with lifelong theft potential.
Med
Personal Safety and Privacy Harm
Medical data, sensitive identity records, lifelong exposure risk · 4 points
▾
01
Medical information and health insurance data were among the categories stolen, meaning affected customers’ most private health histories were exposed to unknown criminal actors.
High
02
Passport numbers and mother’s maiden names are among the hardest forms of identity information to change, meaning victims face an ongoing and essentially permanent risk of identity fraud that no settlement payment can undo.
High
03
Digital and electronic signatures were compromised, meaning criminals obtained tools that could potentially be used to impersonate victims in legal or financial transactions.
High
04
For eight months after the breach, 74,385 people were unaware that their most sensitive information was in criminal hands. During this window, victims had no ability to take protective action, monitor accounts, or alert financial institutions.
High
Regulatory and Oversight Failures
How weak enforcement enables corporate negligence · 4 points
▾
01
The eight-month delay between breach discovery and customer notification raises serious questions about whether existing breach notification laws are strong enough, or whether penalties for delay are meaningful enough to deter slow disclosure.
High
02
No state or federal regulator appears to have compelled the bank to notify customers faster. Private litigation from three individual customers was the mechanism that ultimately held the bank accountable.
High
03
The bank’s security remediation came only after litigation pressure, not proactive regulatory enforcement, illustrating that corporate data protection improvements often require costly lawsuits rather than functioning oversight systems.
Med
04
The settlement allows the bank to implement security fixes in exchange for releasing all class member claims, a structure that rewards eventual compliance rather than preventing harm through robust pre-breach standards.
Med
TIMELINE OF EVENTS
Feb 7-8, 2023
Cyberattack strikes Tri Counties Bank’s computer systems. A threat actor acquires database files containing private information of tens of thousands of customers, including SSNs, medical data, financial records, and passport numbers.
Oct 12, 2023
Eight months after the breach, Tri Counties Bank begins notifying affected customers. This is the first time the 74,385 victims learn their data was exposed.
Oct 20, 2023
Plaintiff Sarah Watkins files the first class action lawsuit in Contra Costa County Superior Court, represented by Scott Edward Cole of Cole & Van Note.
Nov 7, 2023
Plaintiff Donna Dryden files a separate class action in Butte County Superior Court, represented by Jason Wucetich of Wucetich & Korovilas LLP.
Dec 6, 2023
Plaintiff Rita Delgado files a third class action in Butte County Superior Court, represented by John J. Nelson of Milberg Coleman Bryson Phillips Grossman.
Jul 10, 2024
The court consolidates all three cases in Butte County and appoints Scott Cole, Jason Wucetich, and John Nelson as Interim Co-Lead Class Counsel for the consolidated case.
Aug 21, 2024
Plaintiffs file a Consolidated Complaint in the consolidated action, formally unifying the claims of all three original plaintiff groups.
May 20, 2025
The parties engage in a full-day mediation before retired Judge John Thornton of JAMS. Following intensive negotiations, the parties reach a settlement following a mediator’s proposal.
Nov 2025
The parties execute the formal Class Action Settlement Agreement and Release. Tri Counties Bank SVP/General Counsel Greg Gehlmann signs for the defendant on November 24, 2025.
Jan 21, 2026
Hearing scheduled for the court to consider the motion for preliminary approval of the settlement, assigned to the Honorable Virginia L. Gingery in Butte County.
FROM THE LEGAL RECORD
QUOTE 1
Scope of stolen data confirmed in the settlement agreement
Core Allegations
“A threat actor acquired certain database files that included names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, medical information, health insurance information, dates of birth, passport numbers, digital/electronic signatures, tax identification numbers, access credentials, and mother’s maiden names.”
This is the full scope of what was stolen. It covers nearly every category of sensitive identity data a criminal would need to impersonate, defraud, or extort a victim.
QUOTE 2
Bank denies all wrongdoing while paying over $2 million in relief
Corporate Accountability
“Defendant specifically denies any and all wrongdoing. The existence of, terms in, and any action taken under or in connection with this Agreement shall not constitute, be construed as, or be admissible in evidence as, any admission by Defendant.”
The bank pays over $2 million in total relief while simultaneously insisting it did nothing wrong. This is a standard corporate litigation playbook: pay to make it go away without ever accepting accountability.
QUOTE 3
74,385 victims confirmed by the bank’s own records
Core Allegations
“Defendant disclosed that there were approximately 74,000 individuals whose information was potentially compromised in the Data Security Incident.”
The bank itself confirmed the scale of the harm in pre-mediation disclosures. There is no dispute about how many people were affected.
QUOTE 4
The bank knew and did not tell customers for eight months
Core Allegations
“Defendant discovered a cybersecurity attack that affected its computer systems between February 7, 2023 and February 8, 2023… Defendant began notifying potentially impacted individuals about the Data Security Incident on or around October 12, 2023.”
Discovery in February. Notification in October. That is an eight-month gap during which 74,385 people had no idea their most sensitive information was in criminal hands and could not take any protective action.
QUOTE 5
Settlement fund is non-reversionary, meaning the bank cannot claw back unspent money
Corporate Accountability
“The Parties agree that no portion of the Settlement Fund shall ever be paid or returned to Defendant.”
This is a meaningful protection for class members. Any money not claimed flows to other claimants or a cy pres charity, not back to the bank. It does not undo the harm, but it prevents the bank from profiting from low claim rates.
QUOTE 6
Security improvements valued at over $1 million, paid separately by the bank
Regulatory Failures
“Defendant has committed to continue implementing and maintaining the Settlement Remedial Measures to its data system security… The estimated cost of such measures is in excess of One Million Dollars ($1,000,000).”
The bank is spending more than $1 million on security fixes it should have implemented before the breach. Customers paid for inadequate security with their most sensitive personal data.
COMMENTARY
?
What exactly was stolen, and how serious is this breach?
▾
This breach is about as serious as they get. The stolen data includes Social Security numbers, driver’s license numbers, passport numbers, financial account information, medical records, health insurance data, tax ID numbers, access credentials, digital signatures, and mother’s maiden names. Together, that package gives criminals everything they need to steal your identity, open fraudulent credit accounts, file false tax returns in your name, access your financial accounts, commit medical identity fraud, and impersonate you in legal and financial transactions. These are not just numbers on a database; they are the keys to your financial and legal life.
?
Why did the bank wait eight months to tell customers?
▾
The settlement documents do not explain why the notification took eight months. The bank discovered the breach on February 7-8, 2023 and notified customers on October 12, 2023. That delay is inexcusable. During those eight months, 74,385 people had no ability to freeze their credit, monitor their accounts, cancel compromised documents, or alert their banks. Whatever investigation or legal review caused the delay, the bank prioritized its own process over its customers’ ability to protect themselves. This is exactly the kind of behavior that demands stronger mandatory breach notification timelines under federal law.
?
How much money will affected customers actually receive?
▾
It depends on what you can prove. Customers with documented out-of-pocket losses related to the breach, such as credit monitoring costs, fraud resolution expenses, and identity theft losses, can claim up to $5,000. Customers who cannot produce documentation can claim a flat $100 alternative cash payment, which may be adjusted pro rata depending on how many people file claims. California residents can claim an additional $150. Everyone who files can receive one year of identity theft monitoring with up to $1 million in insurance coverage. After attorneys’ fees of up to 35% of total economic benefits and administrative costs are deducted, the pool for $100 claimants may be smaller than the headline suggests.
?
The bank says it did nothing wrong. Is that credible?
▾
The bank’s denial of wrongdoing is standard settlement language and legally meaningless in terms of the underlying facts. The bank does not dispute that the breach happened. It does not dispute that 74,385 people had their data stolen. It does not dispute the scope of what was taken. What it disputes is legal liability, and it is paying more than $2 million to resolve that dispute without a trial. The existence of $1 million in security upgrades the bank committed to making tells you something important: the bank’s own defense team apparently agreed, as part of a negotiated settlement, that the bank’s prior security practices needed significant improvement.
?
Why does this keep happening at banks and financial institutions?
▾
Financial institutions hold the richest data targets in the economy. The combination of Social Security numbers, financial account data, and identity documents stored together creates a honeypot for attackers. Banks often underinvest in security infrastructure relative to the value of the data they hold, because the cost of a breach, including settlements like this one, is often smaller than the cost of robust preventative security. The regulatory framework for data security in banking is fragmented across multiple agencies, and enforcement actions for inadequate security practices are rare and often inadequate. Until the penalties for inadequate data security reliably exceed the cost of compliance, many institutions will continue to treat security as a cost center rather than a customer obligation.
?
If I’m a class member, what should I do right now?
▾
First, file a claim before the deadline, which is 60 days after the Notice Date. You received a postcard notice with a CPT ID you will need to file. Even if you cannot document specific losses, claim the $100 alternative cash payment and the identity monitoring services. Second, place a freeze on your credit with all three major bureaus (Equifax, Experian, TransUnion) if you have not already. Credit freezes are free and prevent new accounts from being opened in your name. Third, monitor your financial accounts, medical bills, and tax filings closely for signs of fraud. Fourth, consider requesting a new Social Security card and flagging your Social Security number with the IRS Identity Protection PIN program if you believe your SSN has been misused.
?
What can I do to prevent this from happening again?
▾
Contact your congressional representatives and demand stronger federal data security standards for financial institutions, including mandatory 72-hour breach notification requirements, minimum security standards with independent audits, and meaningful civil penalties tied to the number of consumers affected. Support organizations like the Electronic Frontier Foundation that advocate for digital privacy rights. Ask your bank directly about its data security practices and incident response protocols. When banks face lawsuits, their security improves; support organizations that bring accountability litigation. Finally, minimize the data you share with financial institutions to only what is legally required, and regularly review what information each institution holds about you.
?
Is $2.185 million enough compensation for exposing 74,385 people’s most sensitive data?
▾
No. Full stop. The total economic benefit of $2.185 million, divided among 74,385 people, equals less than $30 per person before fees and costs. The data that was stolen includes information that cannot be replaced, including passport details, digital signatures, and Social Security numbers, which criminals can exploit for decades. The settlement is the result of practical litigation realities: the uncertainty of proving causation at trial, the cost of prolonged litigation, and the risk that a jury might award nothing. The legal system produced a settlement that provides some relief, but it cannot undo the breach, cannot retrieve the stolen data, and cannot fully compensate victims for a lifetime of elevated fraud risk.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
