Gravity Payments Discloses Data Breach Exposing SSNs

On Feb. 5, 2026, Gravity Payments, a Seattle-based credit card processing and financial services company, disclosed a data breach affecting 22,278 individuals across the United States, including 677 residents of Washington, 16 residents of Massachusetts, 14 residents of Maine and four residents of New Hampshire.

The incident originated from a vulnerability in the software of a third-party service provider used for customer relationship management. On Aug. 22, 2025, this provider notified Gravity Payments that an unknown actor had exploited the vulnerability, resulting in unauthorized access to certain files belonging to the company.

Upon learning of the breach, Gravity Payments launched an investigation with the help of external cybersecurity experts, determining that a limited number of files were accessed by an unauthorized third party. The company then undertook a time-intensive review to identify what personal information was exposed, completing this process on Jan. 15, 2026.

The exposed information includes names, Social Security numbers, financial and banking information, dates of birth, username and password, and security question and answers.

The breach was reported to the Indiana Attorney General, the Maine Attorney General, the New Hampshire Attorney General, the Vermont Attorney General, and the Washington Attorney General. The Massachusetts Office of Consumer Affairs and Business Regulation was also reported to.

Gravity Payments' response

Gravity Payments responded to the breach by securing their systems and permanently revoking the third-party provider’s access to their data. Law enforcement was notified, and the company worked with cybersecurity professionals to ensure that there was no ongoing threat to their systems or network.

To support affected individuals, Gravity Payments is offering complimentary credit monitoring and identity restoration services through Experian for an unspecified number of months (the exact duration is detailed in the individual notice). Affected individuals must enroll within 90 days of receiving the notification letter.

The company encourages those affected to remain vigilant, review account statements, and monitor credit reports for suspicious activity. The notice also provides detailed instructions on how to request free annual credit reports, place fraud alerts, and implement security freezes with major credit bureaus.

Given that the breach occurred due to a third-party vulnerability, it is especially important for affected individuals to take advantage of the credit monitoring service and to consider placing a fraud alert or security freeze on their credit files.