Bank Data Breaches
Banks are high-value targets for cybercriminals, and the number of data breaches at financial institutions continues to rise. According to the Identity Theft Resource Center’s 2023 report, while most industries saw modest increases, the financial services industry saw more than double the number of compromises compared to 2022. Kroll reported that the financial sector accounted for 27% of the breaches it handled in 2023, and the volume of interactive intrusion activity against the industry increased by over 80%.
When a financial institution is breached, criminals can access account credentials, Social Security numbers, and other sensitive data—fueling identity theft and fraud. Having your sensitive information exposed can be terrifying, leaving you unsure what to do next. Class Action U offers resources and information for victims of data breaches and can help them navigate their legal rights.
What Are Bank Data Breaches?
A bank data breach occurs when unauthorized access is gained to a bank’s systems, putting customers’ personal information at risk. Cybercriminals utilize cyberattacks, hacking, and phishing scams to secure information through a data breach, no matter the industry. Criminals also attack third-party providers, which may have fewer security measures than the main company but still have access to customer information.
When hackers attack a bank, data breaches can compromise customers’ login information, financial accounts, and personal information.
Why Are Banks Targeted by Cybercriminals?
Cybercriminals typically target financial companies due to the high value of customers’ bank account information, login credentials, and other personal information. After gaining access, cybercriminals can steal this data and use it to commit financial fraud, identity theft, and ransomware attacks— or even to sell on the dark web.
How Bank Data Breaches Affect Customers
When a bank data breach occurs, customers can face serious consequences. If your data has been compromised, you may face identity theft, unauthorized transactions on your accounts, long-term impacts on your credit score, and financial uncertainty.
Financial Loss and Identity Theft
After your personal information is released from a data breach, cybercriminals may be able to access your financial accounts or cards. This immediately puts your financial well-being at risk, with financial loss from unauthorized transactions and identity theft.
Impact on Credit Scores and Financial Stability
Due to these unauthorized transactions, you could potentially lose money and experience significant damage to your credit score. If you experience unauthorized transactions, your credit card balances may become high before you notice your account being compromised.
Unauthorized transactions can have long-term impacts on your credit score and personal finances, making it harder to secure lower interest rates or obtain loans after recovering from financial fraud.
Banking Laws and Consumer Protections After a Data Breach
There is no single federal omnibus breach-notification law, but all U.S. states and D.C. have breach-notice statutes. Financial institutions are also subject to federal frameworks like the Federal Trade Commission Act (FTC Act), which allows the FTC to issue industry-wide regulations, keeping businesses liable for protecting consumer data.
The FTC may intervene if a company fails to notify customers of a data breach. In addition to federal and state data laws, laws are designed to protect consumer data with financial institutions.
The Right to Financial Privacy Act (RFPA)
The Right to Financial Privacy Act (RFPA), established in 1978, protects consumers’ financial records with financial institutions and customers’ confidentiality of personal financial records.
These records cannot be shared or released without the consumer’s permission. There are some exceptions, but customers must be notified if their financial records are accessed.
RFPA governs government access to your bank records; it’s not a general breach-notice statute.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is a federal law that oversees the privacy and security of customers’ financial data. It regulates how financial institutions collect, share, and protect this information.
This act requires financial institutions to inform customers about how their information is shared, provide opt-out options, and develop security measures to protect their customers’ data.
Major Bank Data Breach Incidents
In the past five years, multiple banking institutions have faced data breaches, including some of the largest, most trusted banks in the U.S.
Flagstar Bank 2021
In December 2021, Flagstar Bank experienced a data breach that affected 1.5 million customers, showing how sensitive information is at risk. The bank did not confirm whether any data was sold, leaked, or misused, or what caused the breach.
Truist Bank 2023
Truist Bank experienced a data breach in October 2023 after a hacker group breached its system and sold employee information. Truist Bank is one of the largest in America, and is responsible for over $500 billion in assets, meaning there’s plenty for its customers to lose in case of data breaches.
SRP Federal Credit Union 2024
From September to November of 2024, a ransomware group hacked into SRP Federal Credit Union, accessing Social Security numbers, driver’s license numbers, dates of birth, and financial account information. This data breach left 240,000 customers’ information compromised, and legal action is being considered.
Evolve Bank & Trust 2024
In June 2024, Evolve Bank and Trust was attacked and saw a data breach, with customer data being stolen and later sold on the dark web. This compromise released account numbers and deposit balances, and affected customers were notified. The company offered credit monitoring and identity theft protection services.
EquiLend Breach 2024
Lending firm Equilend Holdings notified employees in March 2024 that there was a data breach in January 2024. In the cyberattack, no client information was accessed, but employees’ personal identifiable information was stolen.
There are no signs of fraudulent activity using the stolen information. This breach is particularly concerning, as EquiLend has offices in different countries and clients worldwide, such as lending banks and hedge funds.
Prudential Data Breach 2024
Prudential Financial agreed to a settlement of $4.75 million, with up to $5,000 per person, after a data breach in 2024. After Prudential Financial was hacked, current and former customers in the millions saw their personal data compromised. If you suffered from this data breach, you must file a settlement claim before October 3, 2025.
Bank of America 2025
The number of affected customers is unknown, but Bank of America experienced data leaks in December 2024 and January 2025. Both incidents were caused by a third-party issue, showing the need for vendors to handle customer data securely.
The December incident found customer names, Social Security numbers, and financial information outside secure containers, and the January incident affected at least 400 customers.
Can You Sue After a Bank Data Breach?
If your personal information was compromised through a bank data breach, you may be able to sue your bank. If your data is exposed due to negligence or inadequate security measures, you can sue a company for a data breach, holding it responsible and obtaining compensation for your damages.
You can sue a bank if it failed to protect your personal information, as regulated by law, and if the personal data breach caused you psychological distress, financial loss, or both, or if you spent significant time trying to address the data breach and its consequences.
What to Do If You’ve Been Affected by a Bank Data Breach
If your information was compromised in a bank data breach, you may be overwhelmed and unsure what to do next. Knowing the immediate steps you can take to help protect yourself is crucial.
First, you should find as much information about the data breach as possible and what data was exposed. Depending on your state and the company that experienced the breach, you could be notified of the data breach by email or in the mail.
You may be entitled to legal action for financial damages if your information was compromised in a data breach.
Contact Your Bank Immediately
If you suspect your data has been compromised, contact your bank immediately to report the breach and gather evidence. Change your account passwords, use two-factor authentication when possible, and monitor your accounts and finances for any unauthorized transactions.
Monitor Your Bank Accounts and Credit Reports
Set up alerts for any financial accounts to inform you of any transactions. Monitor your bank statements and credit reports for unusual or suspicious activity and set up alerts for fraud or credit freezes.
Report Fraud and Identity Theft
You should report any fraud or identity theft to the proper authorities. If you are experiencing fraud, you can report the incident to the FTC’s ReportFraud site. Fraud resources are also available through the Office of the Comptroller of the Currency (OCC).
You should also contact your local law enforcement to file a police report and the local FBI office to notify them of the fraudulent activity so they can investigate further. Provide them with any information you have about the data breach and any evidence of fraudulent activity you have.
You should also contact your credit card companies, so they are aware of any suspicious activity.
Consult a Data Breach Lawyer
After a bank data breach, your most sensitive information may be compromised, which could lead to financial difficulties and fraud. Discussing your case with a data breach lawyer can help you understand all the options available, like joining a class action lawsuit, starting your own, or filing an individual case.
We can connect you with a data breach attorney who can help determine the best course of action after a bank data breach. If you suspect your personal information has been compromised, contact Class Action U today for a free, no-obligation consultation.
"*" indicates required fields