New class action lawsuit alleges Chime data breach compromised customer data

On April 3, 2026, two Chime customers filed a class action lawsuit against Chime Financial in the U.S. District Court for the Northern District of California. The lawsuit alleges the San Francisco-based fintech company failed to protect customer data and banking access during a cyberattack that knocked the platform offline on April 1, 2026.

Cindy Castaneda and Lauren Goodloe allege they lost access to their accounts during the outage. Castaneda claims she could not see updated balances in her checking and savings accounts. Goodloe alleges he logged in to pay his rent and viewed a black screen showing an outdated savings balance, leaving him unable to transfer money or pay bills.

What happened

On April 1, 2026, Team 313, a cybercriminal group known for data theft and extortion, allegedly launched an attack on Chime's servers. The group claimed responsibility on its own leak site and social media.

At its peak, an estimated 20,000 users reported issues using Chime, the lawsuit alleges. Because Chime operates entirely through its app and website with no physical branches, users depending on it as their primary banking option had no alternative way to access their funds, the plaintiffs claim.

Alleged failures in cybersecurity safeguards

Chime failed to maintain adequate cybersecurity protections despite its privacy notice stating it maintains safeguards designed to protect customer data, the lawsuit claims. The complaint alleges Chime fell short of several widely recognized standards, including Federal Trade Commission guidelines, the NIST Cybersecurity Framework and CIS Critical Security Controls.

The plaintiffs claim Chime failed to notify affected customers about the breach within a reasonable time, depriving them of the opportunity to monitor accounts, change passwords or place fraud alerts. The complaint claims Team 313 already or soon will publish stolen personally identifiable information on the dark web though Chime has not confirmed this.

The legal claims

The complaint brings eight causes of action:

  • Negligence and negligence per se, alleging Chime failed to use reasonable care in protecting customer data
  • Breach of implied contract and breach of the implied covenant of good faith and fair dealing, saying Chime promised data protections it did not deliver
  • Unjust enrichment, claiming Chime profited from collecting data without providing adequate security in return
  • Violation of California's Unfair Competition Law, targeting allegedly unlawful and unfair business practices
  • Violation of the California Consumer Privacy Act, stating Chime failed to maintain reasonable security for unencrypted personal information
  • Declaratory judgment, asking the court to formally establish Chime's data security obligations

The plaintiffs seek compensatory damages, punitive damages, restitution, injunctive relief requiring Chime to improve its security practices and attorneys' fees.

What this means for Chime users

The proposed class includes all U.S. residents whose personally identifiable information the April 2026 breach compromised. There is no settlement, no claims process and no money available at this time. The lawsuit is pending in federal court in San Francisco.