Gravity Payments Discloses Data Breach Exposing Personal Info

On Feb. 5, 2026, Gravity Payments, a Seattle-based credit card processing and financial services company, disclosed a data breach affecting 2,278 individuals across the United States, including at least 14 residents of Maine.

The incident originated from a vulnerability in the software of a third-party service provider used for customer relationship management. On Aug. 22, 2025, this provider notified Gravity Payments that an unknown actor had exploited the vulnerability, resulting in unauthorized access to certain files belonging to the company.

Upon learning of the breach, Gravity Payments launched an investigation with the help of external cybersecurity experts, determining that a limited number of files were accessed by an unauthorized third party. The company then undertook a time-intensive review to identify what personal information was exposed, completing this process on Jan. 15, 2026.

The exposed information includes names and additional personal data, although the specific types of data (such as Social Security numbers or financial account details) were not detailed in the public notice.

The breach was reported to the Maine Attorney General and the Vermont Attorney General.

Gravity Payments' response

Gravity Payments responded to the breach by securing their systems and permanently revoking the third-party provider’s access to their data. Law enforcement was notified, and the company worked with cybersecurity professionals to ensure that there was no ongoing threat to their systems or network.

To support affected individuals, Gravity Payments is offering complimentary credit monitoring and identity restoration services through Experian for an unspecified number of months (the exact duration is detailed in the individual notice). Affected individuals must enroll within 90 days of receiving the notification letter.

The company encourages those affected to remain vigilant, review account statements, and monitor credit reports for suspicious activity. The notice also provides detailed instructions on how to request free annual credit reports, place fraud alerts, and implement security freezes with major credit bureaus.

Given that the breach occurred due to a third-party vulnerability, it is especially important for affected individuals to take advantage of the credit monitoring service and to consider placing a fraud alert or security freeze on their credit files.