Chime Faces Class Action Lawsuit Over Alleged Data Breach and Cybersecurity Failures On April 3, 2026, two Chime customers Cindy Castaneda and Lauren Goodloe filed a class action lawsuit against the San Francisco-based fintech company in the U.S. District Court for the Northern District of California. The suit alleges Chime failed to protect customer data and account access during a cyberattack on April 1, 2026, that disrupted its platform. The plaintiffs claim they lost access to their accounts during the outage. Castaneda reported being unable to view updated balances in her checking and savings accounts, while Goodloe encountered a black screen displaying outdated information, preventing him from transferring funds or paying bills. The lawsuit states that at the attack’s peak, an estimated 20,000 users experienced issues, with no alternative access to funds due to Chime’s digital-only banking model. The cyberattack was allegedly carried out by Team 313, a group known for data theft and extortion, which claimed responsibility on its leak site and social media. The lawsuit accuses Chime of failing to meet industry cybersecurity standards, including FTC guidelines, the NIST Cybersecurity Framework, and CIS Critical Security Controls, despite its privacy policy promising robust protections. Additionally, the plaintiffs allege Chime did not notify affected customers in a timely manner, leaving them unable to take protective measures like monitoring accounts or placing fraud alerts. The complaint suggests that stolen personally identifiable information (PII) may already be or soon will be published on the dark web, though Chime has not confirmed this. The lawsuit includes eight legal claims, among them: - Negligence and negligence per se for failing to exercise reasonable care in data protection. - Breach of implied contract and good faith for not delivering on promised security measures. - Unjust enrichment for profiting from data collection without adequate safeguards. - Violations of California’s Unfair Competition Law and Consumer Privacy Act for allegedly unlawful business practices and insufficient security for unencrypted PII. - A request for a declaratory judgment to formally establish Chime’s data security obligations. The plaintiffs are seeking compensatory and punitive damages, restitution, injunctive relief to enforce security improvements, and attorneys’ fees. The proposed class includes all U.S. residents whose PII was compromised in the April 2026 breach. The case remains pending in federal court in San Francisco, with no settlement or claims process currently in place.